SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Login failed for user 'NT AUTHORITY\SYSTEM', Very straing


Login failed for user 'NT AUTHORITY\SYSTEM', Very straing

Author
Message
stupid.brain
stupid.brain
Grasshopper
Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)

Group: General Forum Members
Points: 20 Visits: 79
I get hundreds of these messages in my SQL Server logs every day (Exactly every 15 minutes).
The messages have a sev 14 and a state 16, I have been searching the web for answers, but have drawn a blank thus far.

One suggestion was to run a SQL Profiler trace.
I did this and found that the ApplicationName is 'Microsoft Windows Script Host', but when I checked the Task Manager on the server, the ClientProcessID specified in the Profiler trace does not appear in the list of PIDs.

I have also checked my Logins, and NT AUTHORITY\SYSTEM is present and enabled, and it has a server role of 'sysadmin', so I cannot see why the login would not be able to access any of the databases.

Also, I have checked all Jobs to check any blank DB name (As a suggested solution) But I found nothing.

Any help in tracking this down would be greatly appreciated.
Rechana Rajan
Rechana Rajan
Right there with Babe
Right there with Babe (773 reputation)Right there with Babe (773 reputation)Right there with Babe (773 reputation)Right there with Babe (773 reputation)Right there with Babe (773 reputation)Right there with Babe (773 reputation)Right there with Babe (773 reputation)Right there with Babe (773 reputation)

Group: General Forum Members
Points: 773 Visits: 609
Some application must be using that login with a wrong password.

When you started to get these errors?
Have to changed the password for that login in recent times?
stupid.brain
stupid.brain
Grasshopper
Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)Grasshopper (20 reputation)

Group: General Forum Members
Points: 20 Visits: 79
It seems like a very old error more than 3 months, the strange thing that it execute every 15 minutes exactly all 24 hours, thats why I don't think it is an application.

Also, I don't remember touching 'NT AUTHORITY\SYSTEM', it does not have a password when I checked it.

I am really stuck here and I don't know what to do, here is one line from the trace file

Login failed for user 'NT AUTHORITY\SYSTEM'. [CLIENT: "OUR SERVER IP"] NULL 1 NULL NULL SYSTEM NT AUTHORITY SQL-SERVER2 5796 Microsoft (r) Windows Script Host NT AUTHORITY\SYSTEM 226 NULL 2012-03-11 12:48:42.133 NULL NULL NULL NULL NULL NULL 1 NULL 0 NULL NULL SQL-SERVER2 20 NULL NULL NULL 18456 NULL NULL NULL master NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL 0 NULL 4021253 NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NT AUTHORITY\SYSTEM NULL

Thanks for helping
anthony.green
anthony.green
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10090 Visits: 6336
run a profile trace on the server/instance in question

select the blank template from the templates section on the first screen, then select all the events for the audit login failure event under security audit.

then you should be able to get the host and program which is trying to login unsuccessfully so you can trace it back.

also is the environment hosted by a 3rd party and is it a managed service from the 3rd party? just run into an issue with our production cluster which is hosted in the US by a 3rd party getting this error all the time.

to follow on from this, state 16 means that the login cannot access the database, you say it has sysadmin access which will either mean that the database its trying to connect to has been dropped or is in an offline state and is not accessable



Want an answer fast? Try here
How to post data/code for the best help - Jeff Moden
When a question, really isn't a question - Jeff Smith
Need a string splitter, try this - Jeff Moden
How to post performance problems - Gail Shaw
CrossTabs-Part1 & Part2 - Jeff Moden
SQL Server Backup, Integrity Check, and Index and Statistics Maintenance - Ola Hallengren
Managing Transaction Logs - Gail Shaw
Troubleshooting SQL Server: A Guide for the Accidental DBA - Jonathan Kehayias and Ted Krueger


andersson_par
andersson_par
SSC Rookie
SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)

Group: General Forum Members
Points: 39 Visits: 34
Have exactly the same problem... every 15 minutes 24/7.
Filling the log with this:
Error: 18456, Severity: 14, State: 38.
Login failed for user 'NT AUTHORITY\SYSTEM'. Reason: Failed to open the explicitly specified database 'DATABASE_NAME'. [CLIENT: xxx.xx.xx.xx]

for every database in the server... Which is drowning the log, making it hard to find the useful messages...

Looks like it started after patching the server...

This is the current version:
Microsoft SQL Server 2012 - 11.0.2383.0 (X64)
Oct 5 2012 19:35:54
Copyright (c) Microsoft Corporation
Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)



What internal function in SQL Server has this behavior?


/Par
anthony.green
anthony.green
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10090 Visits: 6336
Anything which tries to login as NT AUTHORITY\SYSTEM.

Have you tracked the source of the connection and tried to see what is logging in as the account?



Want an answer fast? Try here
How to post data/code for the best help - Jeff Moden
When a question, really isn't a question - Jeff Smith
Need a string splitter, try this - Jeff Moden
How to post performance problems - Gail Shaw
CrossTabs-Part1 & Part2 - Jeff Moden
SQL Server Backup, Integrity Check, and Index and Statistics Maintenance - Ola Hallengren
Managing Transaction Logs - Gail Shaw
Troubleshooting SQL Server: A Guide for the Accidental DBA - Jonathan Kehayias and Ted Krueger


andersson_par
andersson_par
SSC Rookie
SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)

Group: General Forum Members
Points: 39 Visits: 34
The call is coming from the same server as the SQL server and the application is "Microsoft ® Windows Script Host".



Example from the trace:
eventclass:Audit Login Failed
textdata:Login failed for user 'NT AUTHORITY\SYSTEM'. Reason: Failed to open the explicitly specified database 'PR_STAGE'. [CLIENT: 999.99.999.17]
hostname:SERVER17
ntusername:SYSTEM
ntdomainname:NT AUTHORITY
clientprocessid:7192
application:Microsoft ® Windows Script Host
loginname:NT AUTHORITY\SYSTEM
spid:69
starttime:2013-02-05 00:05:10.257
error:18456
anthony.green
anthony.green
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10090 Visits: 6336
check what can spawn the service on the local machine and what it is actually trying to do.



Want an answer fast? Try here
How to post data/code for the best help - Jeff Moden
When a question, really isn't a question - Jeff Smith
Need a string splitter, try this - Jeff Moden
How to post performance problems - Gail Shaw
CrossTabs-Part1 & Part2 - Jeff Moden
SQL Server Backup, Integrity Check, and Index and Statistics Maintenance - Ola Hallengren
Managing Transaction Logs - Gail Shaw
Troubleshooting SQL Server: A Guide for the Accidental DBA - Jonathan Kehayias and Ted Krueger


andersson_par
andersson_par
SSC Rookie
SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)SSC Rookie (39 reputation)

Group: General Forum Members
Points: 39 Visits: 34
So, what you mean is that I should find the cause, correct it and by doing so solve the problem?
I was thinking along those lines myself. ;-)
Sean Pearce
Sean Pearce
SSCommitted
SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)

Group: General Forum Members
Points: 1774 Visits: 3432
SELECT
SUSER_SNAME(owner_sid),
*
FROM
msdb..sysjobs
WHERE
SUSER_SNAME(owner_sid) = 'NT AUTHORITY\SYSTEM'





The SQL Guy @ blogspot

@SeanPearceSQL

About Me
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search