Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

domain\server$ Expand / Collapse
Author
Message
Posted Monday, September 23, 2013 12:34 PM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Monday, August 25, 2014 5:45 PM
Points: 299, Visits: 921
Hi, SQL Server log shows several login failures from the login "domain\server$". What does that mean? I read somewhere that it means that the remote machine is using "network service" to run the service which is connecting to SQL Server. I don't understand what that means and if I need to change something or if the app team needs to make a change.

Does the $ on the end indicate a system created object in AD?

Thanks for reading.
Post #1497499
Posted Monday, September 23, 2013 9:37 PM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: 2 days ago @ 10:03 PM
Points: 2,967, Visits: 2,569
First - AD accounts that end in $ are accounts that are created when a server or workstation is added to the domain. The name of the account is the same as the server name suffixed with $.

So, yes, network service is the likely reason. As for whether anything needs to be changed - well, that is entirely up to you and your organisation. It may be correct for the service to be using this account. Personally, I prefer to create specific accounts that can be given the minimum set of privileges for a particular function/application - this limits the potential for problems if there are any security breaches. This is the reason that you have proxies available within SQL Server Agent.



Post #1497635
Posted Tuesday, September 24, 2013 2:19 PM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Monday, August 25, 2014 5:45 PM
Points: 299, Visits: 921
Thanks happycat. I'm going to advise the application team to use a service account instead.
Post #1498036
Posted Wednesday, September 25, 2013 7:13 AM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Today @ 5:27 AM
Points: 1,635, Visits: 5,589
happycat59 (9/23/2013)
So, yes, network service is the likely reason.


Just to note here--the built-in LocalSystem account also authenticates as the computer on the network, so would also be connecting with DOMAIN\SERVER$ credentials; people often forget that one because they think from the name that account only has local access, which is not the case. The LocalService account (which I think was added in Windows 2008) presents anonymous credentials on the network, so behaves more like people think LocalSystem does.
Post #1498337
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse