Login failed for user 'NT AUTHORITY\SYSTEM', Very straing

  • stupid.brain

    Old Hand

    Points: 374

    I get hundreds of these messages in my SQL Server logs every day (Exactly every 15 minutes).

    The messages have a sev 14 and a state 16, I have been searching the web for answers, but have drawn a blank thus far.

    One suggestion was to run a SQL Profiler trace.

    I did this and found that the ApplicationName is 'Microsoft Windows Script Host', but when I checked the Task Manager on the server, the ClientProcessID specified in the Profiler trace does not appear in the list of PIDs.

    I have also checked my Logins, and NT AUTHORITY\SYSTEM is present and enabled, and it has a server role of 'sysadmin', so I cannot see why the login would not be able to access any of the databases.

    Also, I have checked all Jobs to check any blank DB name (As a suggested solution) But I found nothing.

    Any help in tracking this down would be greatly appreciated.

  • Rechana Rajan

    SSCertifiable

    Points: 7656

    Some application must be using that login with a wrong password.

    When you started to get these errors?

    Have to changed the password for that login in recent times?

  • stupid.brain

    Old Hand

    Points: 374

    It seems like a very old error more than 3 months, the strange thing that it execute every 15 minutes exactly all 24 hours, thats why I don't think it is an application.

    Also, I don't remember touching 'NT AUTHORITY\SYSTEM', it does not have a password when I checked it.

    I am really stuck here and I don't know what to do, here is one line from the trace file

    Login failed for user 'NT AUTHORITY\SYSTEM'. [CLIENT: "OUR SERVER IP"] NULL 1 NULL NULL SYSTEM NT AUTHORITY SQL-SERVER2 5796 Microsoft (r) Windows Script Host NT AUTHORITY\SYSTEM 226 NULL 2012-03-11 12:48:42.133 NULL NULL NULL NULL NULL NULL 1 NULL 0 NULL NULL SQL-SERVER2 20 NULL NULL NULL 18456 NULL NULL NULL master NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL 0 NULL 4021253 NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NT AUTHORITY\SYSTEM NULL

    Thanks for helping

  • anthony.green

    SSC Guru

    Points: 112212

    run a profile trace on the server/instance in question

    select the blank template from the templates section on the first screen, then select all the events for the audit login failure event under security audit.

    then you should be able to get the host and program which is trying to login unsuccessfully so you can trace it back.

    also is the environment hosted by a 3rd party and is it a managed service from the 3rd party? just run into an issue with our production cluster which is hosted in the US by a 3rd party getting this error all the time.

    to follow on from this, state 16 means that the login cannot access the database, you say it has sysadmin access which will either mean that the database its trying to connect to has been dropped or is in an offline state and is not accessable



    How to post data/code for the best help - Jeff Moden[/url]
    Need a string splitter, try this - Jeff Moden[/url]
    How to post performance problems - Gail Shaw[/url]
    Managing Transaction Logs - Gail Shaw[/url]
    Troubleshooting SQL Server: A Guide for the Accidental DBA - Jonathan Kehayias and Ted Krueger[/url]

  • andersson_par

    SSC-Addicted

    Points: 491

    Have exactly the same problem... every 15 minutes 24/7.

    Filling the log with this:

    Error: 18456, Severity: 14, State: 38.

    Login failed for user 'NT AUTHORITY\SYSTEM'. Reason: Failed to open the explicitly specified database 'DATABASE_NAME'. [CLIENT: xxx.xx.xx.xx]

    for every database in the server... Which is drowning the log, making it hard to find the useful messages...

    Looks like it started after patching the server...

    This is the current version:

    Microsoft SQL Server 2012 - 11.0.2383.0 (X64)

    Oct 5 2012 19:35:54

    Copyright (c) Microsoft Corporation

    Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)

    What internal function in SQL Server has this behavior?

    /Par

  • anthony.green

    SSC Guru

    Points: 112212

    Anything which tries to login as NT AUTHORITY\SYSTEM.

    Have you tracked the source of the connection and tried to see what is logging in as the account?



    How to post data/code for the best help - Jeff Moden[/url]
    Need a string splitter, try this - Jeff Moden[/url]
    How to post performance problems - Gail Shaw[/url]
    Managing Transaction Logs - Gail Shaw[/url]
    Troubleshooting SQL Server: A Guide for the Accidental DBA - Jonathan Kehayias and Ted Krueger[/url]

  • andersson_par

    SSC-Addicted

    Points: 491

    The call is coming from the same server as the SQL server and the application is "Microsoft ® Windows Script Host".

    Example from the trace:

    eventclass:Audit Login Failed

    textdata:Login failed for user 'NT AUTHORITY\SYSTEM'. Reason: Failed to open the explicitly specified database 'PR_STAGE'. [CLIENT: 999.99.999.17]

    hostname:SERVER17

    ntusername:SYSTEM

    ntdomainname:NT AUTHORITY

    clientprocessid:7192

    application:Microsoft ® Windows Script Host

    loginname:NT AUTHORITY\SYSTEM

    spid:69

    starttime:2013-02-05 00:05:10.257

    error:18456

  • anthony.green

    SSC Guru

    Points: 112212

    check what can spawn the service on the local machine and what it is actually trying to do.



    How to post data/code for the best help - Jeff Moden[/url]
    Need a string splitter, try this - Jeff Moden[/url]
    How to post performance problems - Gail Shaw[/url]
    Managing Transaction Logs - Gail Shaw[/url]
    Troubleshooting SQL Server: A Guide for the Accidental DBA - Jonathan Kehayias and Ted Krueger[/url]

  • andersson_par

    SSC-Addicted

    Points: 491

    So, what you mean is that I should find the cause, correct it and by doing so solve the problem?

    I was thinking along those lines myself. 😉

  • Sean Pearce

    SSCoach

    Points: 15750

    SELECT

    SUSER_SNAME(owner_sid),

    *

    FROM

    msdb..sysjobs

    WHERE

    SUSER_SNAME(owner_sid) = 'NT AUTHORITY\SYSTEM'

    The SQL Guy @ blogspot[/url]

    @SeanPearceSQL

    About Me[/url]

  • andersson_par

    SSC-Addicted

    Points: 491

    Thanks, but no jobs owned by 'NT AUTHORITY\SYSTEM' just 'NT SERVICE\SQLSERVERAGENT' owned ones.

    I did a SQL Profiler trace (Audit) and see a lot of these kind of queries, issued by NT AUTHORITY\SYSTEM via the Windows script Host, going on at the time of the login failures:

    SELECT

    d.name

    , d.database_id

    , CASE WHEN d.replica_id IS NULL THEN 0 ELSE 1 END AS is_replica

    , ar.secondary_role_allow_connections

    FROM sys.databases d

    JOIN sys.availability_replicas ar on d.replica_id = ar.replica_id

    JOIN sys.servers s ON s.name = ar.replica_server_name AND s.server_id = 0 /*local server*/

    WHERE d.database_id = 18

    What is this?

    High Availability? We got it disabled...

    Replication? We got it disabled...

    Hmm.

  • rao.vikram.net

    SSC Journeyman

    Points: 93

    I have faced similar issue, all i did is modified 'connection string' Configuration. Instead of '.....;user id=sa;...', try replacing it with '.....;uid=sa;...'.For The reason part ...i dont know why!?it may work

    Let me know if it works!

  • Prudhviraj

    SSC Veteran

    Points: 262

    Well I have had the same issue. And log is generated every 15min saying that database could not connect to sql server database.

    Granting sysadmin access to ntauthority\system should in fact solve the issue. But its stupid to do so with out actually knowing what application or script(in my case the call is coming from cscript.exe - which can be any automated vb or java script) is actually trying to access the server data.

    For now I have no further information - I'm still investigating on the issue. If you find any clue let me know

  • SQLSlack3r

    Old Hand

    Points: 328

    I was seeing this on one of our servers, I looked at the Services running and ran profiler and came up with the same things like: generic queries where NT AUTHORITY\SYSTEM was trying to run things like:

    SELECT size / 128.0 as fileSize,

    FILEPROPERTY(name, 'SpaceUsed') / 128.0 as fileUsed,

    CASE WHEN max_size = -1 OR max_size = 268435456 THEN -1 ELSE max_size / 128 END as fileMaxSize,

    CASE WHEN growth = 0 THEN 0 ELSE 1 END as IsAutoGrow,

    is_percent_growth as isPercentGrowth,

    growth as fileGrowth,

    physical_name

    FROM sys.master_files WITH (NOLOCK)

    WHERE type = 0 AND is_read_only = 0 AND data_space_id = 1

    AND database_id = 4

    Turns out System Center Operations Manager Agent was running HealthService.exe as Local System.

    MCSA SQL 2014

  • andersson_par

    SSC-Addicted

    Points: 491

    SCOM it is!

    To make this work use a service account to run the scom agent service with this:

    Member of "Performance Monitor Users" local group

    Member of "Event Log Readers" local group if OS is Windows 2008 or Windows 2008 R2

    Member of "Distributed COM Users" local group if SQL Server is running in a clustered configuration

    Full access to Cluster if SQL Server is running in a clustered configuration

    Permission to Log On Locally

    SQL permission to VIEW ANY DEFINITION

    SQL permission to VIEW SERVER STATE

    SQL permission to login in each database including system databases

    Member of "SQLAgentReaderRole" in msdb database

Viewing 15 posts - 1 through 15 (of 26 total)

You must be logged in to reply to this topic. Login to reply