June 25, 2009 at 7:12 am
OK, here is a weird one. For the life of me, I cannot figure this one out.
We are running SQL Server 2005 Enterprise SP2 and all services are started with a domain account.
Now, when a user using a SQL login fails to connect 3 times in a short span (5 minutes), the service account (domain based) locks out as well, preventing some of our SQL agent jobs from running. We then have to go into AD to unlock the account.
I never would have thought that a SQL account could lock out a domain account. BTW, "enforce password policy" for the SQL login is unchecked. Permissions for the SQL account are "grant" permission to connect and the login is "enabled". The SQL account does not have any server roles and is db_owner of a couple of databases.
Anyone have any suggestions? Is this transcending SQL and going to the OS/Domain lockout settings?
Thanks.
June 25, 2009 at 8:13 am
That is strange. We don't hit this issue as all service accounts here are set to not lockout. Not sure if this is an option for you but if not which watch the thread to see what others think.
June 25, 2009 at 1:16 pm
Steve Newton (6/25/2009)
That is strange. We don't hit this issue as all service accounts here are set to not lockout. Not sure if this is an option for you but if not which watch the thread to see what others think.
Thanks Steve.
Turns out, the problem was related to the SMTP authentication on the Manage Existing Account dialog under DBMail configuration. We were using the domain account under the basic authentication portion (login@domain.com and password specified correctly) but would fail authentication against the mail server (eventID 680 & 529), even though it has an account on the mail system. It appears that the NTLM authentication package along with the NTLMSSP logon process for some reason on SQL didn't like this configuration. Generating 'x' number of alerts from our db server would try to authenticate against the SMTP server 'x' number of times, and therefore lock out the domain account configured under the basic authentication. These errors make sense since our db server does not have WINS enabled.
Resolution: We changed the authentication method to "Windows Authentication using Database Engine service credentials" and we seem to be okay.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply