Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

domain\server$ Expand / Collapse
Author
Message
Posted Monday, September 23, 2013 12:34 PM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: 2 days ago @ 3:10 PM
Points: 306, Visits: 967
Hi, SQL Server log shows several login failures from the login "domain\server$". What does that mean? I read somewhere that it means that the remote machine is using "network service" to run the service which is connecting to SQL Server. I don't understand what that means and if I need to change something or if the app team needs to make a change.

Does the $ on the end indicate a system created object in AD?

Thanks for reading.
Post #1497499
Posted Monday, September 23, 2013 9:37 PM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Thursday, December 4, 2014 7:54 PM
Points: 3,087, Visits: 2,686
First - AD accounts that end in $ are accounts that are created when a server or workstation is added to the domain. The name of the account is the same as the server name suffixed with $.

So, yes, network service is the likely reason. As for whether anything needs to be changed - well, that is entirely up to you and your organisation. It may be correct for the service to be using this account. Personally, I prefer to create specific accounts that can be given the minimum set of privileges for a particular function/application - this limits the potential for problems if there are any security breaches. This is the reason that you have proxies available within SQL Server Agent.



Post #1497635
Posted Tuesday, September 24, 2013 2:19 PM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: 2 days ago @ 3:10 PM
Points: 306, Visits: 967
Thanks happycat. I'm going to advise the application team to use a service account instead.
Post #1498036
Posted Wednesday, September 25, 2013 7:13 AM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Friday, December 12, 2014 3:32 AM
Points: 1,639, Visits: 5,721
happycat59 (9/23/2013)
So, yes, network service is the likely reason.


Just to note here--the built-in LocalSystem account also authenticates as the computer on the network, so would also be connecting with DOMAIN\SERVER$ credentials; people often forget that one because they think from the name that account only has local access, which is not the case. The LocalService account (which I think was added in Windows 2008) presents anonymous credentials on the network, so behaves more like people think LocalSystem does.
Post #1498337
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse