SQLSvc failed Audits messages under Event viewer on Publisher

Unanswered Question
Jun 14th, 2005

Hi,

CM 4.1(2)sr2 single Publisher

Please help me get rid of these failed audits for SQLsvc user account under Security logs on event viewer Publisher only.

I tried using adminutility and I even tried manually resetting the SQLSvc password under Local Users and groups, then updating the Services which use SQLSvc and +com DBL under components services Shut and no shut and problem still occurs even after a reboot.

Following failed audit errors for SQLSvc user account we see on the Publisher under security logs in event viewer.

Cheers!

Yavuz

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 529

Date: 6/10/2005

Time: 9:45:26 AM

User: NT AUTHORITY\SYSTEM

Computer: SYDNEYCM01

Description:

Logon Failure:

Reason: Unknown user name or bad password

User Name: SQLSvc

Domain:

Logon Type: 7

Logon Process: Advapi

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name: SYDNEYCM01

Event Type: Failure Audit

Event Source: Security

Event Category: Account Logon

Event ID: 681

Date: 6/10/2005

Time: 9:45:26 AM

User: NT AUTHORITY\SYSTEM

Computer: SYDNEYCM01

Description:

The logon to account: SQLSvc

by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

from workstation: SYDNEYCM01

failed. The error code was: 3221225578

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Steven Smith Tue, 06/14/2005 - 05:53

From Microsoft:

http://support.microsoft.com/default.aspx?scid=kb;en-us;273499

The error is:

3221225578 C000006A User logon with misspelled or bad password

I do not know how you ran adminutility, but I would run it and then reboot the server.

Are you running any 3rd party applications that might be accessing the database? For clarification, are you running 4.1.2 sr1? Sr2 is not yet available.

yavuz_sab Tue, 06/14/2005 - 06:20

CM 4.1(2)sr1 standalone Publisher and NO there is no 3rd party application running on this server.

In my initial post message i have mentioned that i've ran the adminutility serveral times from c:\program files\cisco\bin directory under CMD prompt as well as manually trying to reset the SQLSvc password as per doco on CCO this also included a reboot of the server serveral times.

Note: This CM server is not in a domain nor using DNS.

Strange, if i go into Component services then shutdown and start the COM+ application DBL Logon/Logoff for SQLSvc user was a successfull audit. Then if we start to search or access Device, phones, gateways on CCMAdmin page will start to see failed audits.

Any ideas??

-Yavuz

yavuz_sab Wed, 06/15/2005 - 00:35

Ok, i noticed that we had Screen saver set to

logon screen saver on CM. I've just set it to NONE ran adminutility update the passwords, reboot the server but still same problem with failed audits. I am certain i have everything configured and set correctly. SQLSvc password is correct Logon locally, Logon to service is also been set correctly.

Is there something else i can try to fix these messages?

-Yavuz

yavuz_sab Sun, 06/19/2005 - 00:36

Still no luck. Could somebody please help assist me with this issue?

Thanks,

Yavuz

jskeens Sun, 07/03/2005 - 16:05

Same issue here but I am seeing the EV failure messages on 7 out of 8 4.1(2) CCMs in the cluster. Started after running the adminutility.exe tool to correct a strange auto-registration issue. Fixed that but now I have the annoying EV failure messages. Nothing else seems to be impacted.

yavuz_sab Sun, 07/03/2005 - 18:59

Ah yes this issue.. I still have'nt been able to fix these cosmetic SQLSvc messages in event viewer. Please could somebody help me ASAP with this problem?

Thanks,

Yavuz

maharris Mon, 07/04/2005 - 07:42

I remember something about these security audit failures having to do with the account not being part of the server Local Administrators group when it should be, that somehow that gets changed. I don't have one handy to look at, but maybe the person with the 1 out of 8 not generating the message could check and see if that one has the SQLSvc account in the Local Administrators group, and the others not.

Mary Beth

jskeens Tue, 07/05/2005 - 04:55

Thanks. The SQLSvc account is part of the local Administrators group on all the CCMs.

Jason

jskeens Tue, 07/05/2005 - 09:08

I think I found the issue. Look in the latest ISAPIFilter000000XX.txt file, found in C:\program files\cisco\trace\MLA folder, and you will probably see the below entries.

07/05/2005 12:48:14.569 |-->Authfilt::HttpFilterProc

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:48:14.569 |-->Authfilt::IsMLAActivated

07/05/2005 12:48:14.569 |-->Authfilt::enablePowerUser()

07/05/2005 12:48:14.569 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)

07/05/2005 12:48:14.569 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326

07/05/2005 12:48:14.569 |<--Authfilt::enablePowerUser()

07/05/2005 12:48:14.569 |<--Authfilt::IsMLAActivated

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database initialization failed

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter

07/05/2005 12:48:14.569 |<--Authfilt::HttpFilterProc

07/05/2005 12:48:14.569 |-->Authfilt::HttpFilterProc

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:48:14.569 |-->Authfilt::IsMLAActivated

07/05/2005 12:48:14.569 |-->Authfilt::enablePowerUser()

07/05/2005 12:48:14.569 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)

07/05/2005 12:48:14.569 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326

07/05/2005 12:48:14.569 |<--Authfilt::enablePowerUser()

07/05/2005 12:48:14.569 |<--Authfilt::IsMLAActivated

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database initialization failed

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter

07/05/2005 12:48:14.569 |<--Authfilt::HttpFilterProc

07/05/2005 12:48:14.569 |-->Authfilt::HttpFilterProc

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:48:14.569 |-->Authfilt::IsMLAActivated

07/05/2005 12:48:14.569 |-->Authfilt::enablePowerUser()

The reason it is cosmetic is because you probably have and I definitely have MLA deactivated in CCMAdmin. Anyways, the authentication information in MLA for the SQLSvc account was not updated when the adminutility.exe tool was ran.

Jason

yavuz_sab Tue, 07/05/2005 - 21:25

Yeah thats the one Jason i am also receiving the same messages under the MLA logs.

07/05/2005 12:15:38.049 |<--Authfilt::enablePowerUser()

07/05/2005 12:15:38.049 |<--Authfilt::IsMLAActivated

07/05/2005 12:15:38.049 | Authfilt::HttpFilterProc Database initialization failed

07/05/2005 12:15:38.049 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter

07/05/2005 12:15:38.049 |<--Authfilt::HttpFilterProc

07/05/2005 12:15:38.267 |-->Authfilt::HttpFilterProc

07/05/2005 12:15:38.267 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:15:38.267 |-->Authfilt::IsMLAActivated

07/05/2005 12:15:38.267 |-->Authfilt::enablePowerUser()

07/05/2005 12:15:38.267 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)

07/05/2005 12:15:38.267 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326

07/05/2005 12:15:38.267 |<--Authfilt::enablePowerUser()

07/05/2005 12:15:38.267 |<--Authfilt::IsMLAActivated

07/05/2005 12:15:38.267 | Authfilt::HttpFilterProc Database initialization failed

07/05/2005 12:15:38.267 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter

07/05/2005 12:15:38.267 |<--Authfilt::HttpFilterProc

07/05/2005 12:15:38.283 |-->Authfilt::HttpFilterProc

07/05/2005 12:15:38.283 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:15:38.283 |-->Authfilt::IsMLAActivated

07/05/2005 12:15:38.283 |-->Authfilt::enablePowerUser()

07/05/2005 12:15:38.283 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)

07/05/2005 12:15:38.283 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326

07/05/2005 12:15:38.283 |<--Authfilt::enablePowerUser()

07/05/2005 12:15:38.283 |<--Authfilt::IsMLAActivated

07/05/2005 12:15:38.283 | Authfilt::HttpFilterProc Database initialization failed

07/05/2005 12:15:38.283 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter

07/05/2005 12:15:38.283 |<--Authfilt::HttpFilterProc

07/05/2005 12:15:38.486 |-->Authfilt::HttpFilterProc

07/05/2005 12:15:38.486 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:15:38.486 |-->Authfilt::IsMLAActivated

07/05/2005 12:15:38.486 |-->Authfilt::enablePowerUser()

07/05/2005 12:15:38.486 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)

07/05/2005 12:15:38.486 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326

07/05/2005 12:15:38.486 |<--Authfilt::enablePowerUser()

Plus MLA is deactivated on my server as well. Need to know how we can get around this cosmetic issue. TAC, DE any ideas???

Cheers!

Yavuz

gogasca Tue, 07/05/2005 - 21:59

Hi Yavuz,

Seems to be you are hitting:

CSCeg00750

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages registry value, the first character on the second, third and fourth string is

replaced by null string character after 4.01, 4.02 installation.

The correct data on that registry value should be the following:

RASSFM KDCSVC scecli synchpwd

Condition:

Fresh or Upgrade to 4.0(1), 4.0(2a), 4.1(1) and 4.1(2) release

Workaround:

Use the regedit to change the registry value to have above data

SQLSVC account cannot read from the windows LSA and this causes that cannot not login into the DB to look at the MLA value thus MLA login would fail.

Please let us know.

-Gonz

jskeens Wed, 07/06/2005 - 06:10

Hi Gonz,

That registry value is already there. Any other ideas?

Thanks,

Jason

Justin Pascal Wed, 07/06/2005 - 17:34

Im having the same issue, I found the synchpwd.dll

should I re-register it?

I dont want to mess up things here.

jskeens Sun, 07/10/2005 - 17:47

I had opened a case w/ TAC. My TAC engineer stated that the MLA DE said adminutility should have changed the SQLSvc password in the MLA service. My TAC engineer and I cannot find the MLA service in Windows or the CCM.

I have found a fix...upgrade. The upgrade to 4.1(3)sr1, actually it was the 4.1(3) step, fixed the issue. I don't believe it was anything in the new code that fixed it. The upgrade was quite large, asked for the cluster private phrase and registered the application. I believe this process was what actually resolved the issue.

Jason

jskeens Sun, 07/10/2005 - 18:04

Below is how things should work. I verified that the correct value was in the registry last week. It does not seem like this piece is operating as designed.

"MLA will make use of the power user account (SQLSvc) created by CallManager for ISAPI/IIS authentication. CCMService also requires the

account with administrative privileges for activating/running the CCM services. SQLSvc account is created with admin privileges and hence ISAPI

filter can use this account. The password for this account will be stored in the local private store in all the CallManager servers during install. The

ISAPI dll will read the password from the local store to use it for IIS authentication. CallManager install will also include a dll (syncpwd.dll)

provided by MLA for synchronizing the password changes with the private store. When the power user password changes, this dll will get notified and

will update the private store so that the ISAPI dll will get the new password.

An entry has been added to the list of notification packages in the registry.

The registry value is :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages will be updated with the entry synchpwd.

CCMAdminUtility.exe (placed under C:\Program Files\Cisco\bin\ ) will be used to change the SQLSvc password."

yavuz_sab Sun, 07/10/2005 - 18:47

Thanks Jason. We are due for any upgrade to 4.1(3) our our sydney office cluster (problem with failed Audits for SQLSvc account).

Was TAC or DE able to provide a bug ID or somesort of documentation stating this issue?

Cheers!

Yavuz

jskeens Sun, 07/10/2005 - 18:56

No they weren't. The DE stated that the adminutility would have changed the SQLSvc password for MLA. The MLA logs say otherwise. I'm still in communication w/ the TAC engineer. He's trying to replicate the issue but can't. Apparently just running the adminutility while MLA is disabled doesn't do it. I've given him a couple more specifics on my configuration. Hopefully he'll be able to recreate the issue. I'll let you know what comes of it.

Are you running CSA, NetIQ and/or McAfee? I had those disabled when running the adminutility. How about URLScan?

Jason

yavuz_sab Sun, 07/10/2005 - 21:29

Thanks Jason,

Yeah.. i have no URLScan, CSA, NetIQ, Symantec, McAfee nor any 3rd party application running on my servers apart from Callmanager.

I ran adminutility.exe file from directory c:\program files\cisco\bin 15 times, even manually resetting the SQLSvc password and updating the services as well as component services DBL COM+ problem is still evident.

Cheers!

-Yavuz

Actions

Login or Register to take actions

This Discussion

Posted June 14, 2005 at 12:39 AM
Stats:
Replies:19 Avg. Rating:5
Views:175 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard