06-14-2005 12:39 AM - edited 03-13-2019 09:27 AM
Hi,
CM 4.1(2)sr2 single Publisher
Please help me get rid of these failed audits for SQLsvc user account under Security logs on event viewer Publisher only.
I tried using adminutility and I even tried manually resetting the SQLSvc password under Local Users and groups, then updating the Services which use SQLSvc and +com DBL under components services Shut and no shut and problem still occurs even after a reboot.
Following failed audit errors for SQLSvc user account we see on the Publisher under security logs in event viewer.
Cheers!
Yavuz
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 6/10/2005
Time: 9:45:26 AM
User: NT AUTHORITY\SYSTEM
Computer: SYDNEYCM01
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: SQLSvc
Domain:
Logon Type: 7
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SYDNEYCM01
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 6/10/2005
Time: 9:45:26 AM
User: NT AUTHORITY\SYSTEM
Computer: SYDNEYCM01
Description:
The logon to account: SQLSvc
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: SYDNEYCM01
failed. The error code was: 3221225578
06-14-2005 05:53 AM
From Microsoft:
http://support.microsoft.com/default.aspx?scid=kb;en-us;273499
The error is:
3221225578 C000006A User logon with misspelled or bad password
I do not know how you ran adminutility, but I would run it and then reboot the server.
Are you running any 3rd party applications that might be accessing the database? For clarification, are you running 4.1.2 sr1? Sr2 is not yet available.
06-14-2005 06:20 AM
CM 4.1(2)sr1 standalone Publisher and NO there is no 3rd party application running on this server.
In my initial post message i have mentioned that i've ran the adminutility serveral times from c:\program files\cisco\bin directory under CMD prompt as well as manually trying to reset the SQLSvc password as per doco on CCO this also included a reboot of the server serveral times.
Note: This CM server is not in a domain nor using DNS.
Strange, if i go into Component services then shutdown and start the COM+ application DBL Logon/Logoff for SQLSvc user was a successfull audit. Then if we start to search or access Device, phones, gateways on CCMAdmin page will start to see failed audits.
Any ideas??
-Yavuz
06-14-2005 09:28 AM
Logon Type 7 is Unlock. This event would seem to indicate that you are logged into the console as user SQLSvc, and have attempted to unlock the console with an invalid password.
06-15-2005 12:35 AM
Ok, i noticed that we had Screen saver set to
logon screen saver on CM. I've just set it to NONE ran adminutility update the passwords, reboot the server but still same problem with failed audits. I am certain i have everything configured and set correctly. SQLSvc password is correct Logon locally, Logon to service is also been set correctly.
Is there something else i can try to fix these messages?
-Yavuz
06-19-2005 12:36 AM
Still no luck. Could somebody please help assist me with this issue?
Thanks,
Yavuz
07-03-2005 04:05 PM
Same issue here but I am seeing the EV failure messages on 7 out of 8 4.1(2) CCMs in the cluster. Started after running the adminutility.exe tool to correct a strange auto-registration issue. Fixed that but now I have the annoying EV failure messages. Nothing else seems to be impacted.
07-03-2005 06:59 PM
Ah yes this issue.. I still have'nt been able to fix these cosmetic SQLSvc messages in event viewer. Please could somebody help me ASAP with this problem?
Thanks,
Yavuz
07-04-2005 07:42 AM
I remember something about these security audit failures having to do with the account not being part of the server Local Administrators group when it should be, that somehow that gets changed. I don't have one handy to look at, but maybe the person with the 1 out of 8 not generating the message could check and see if that one has the SQLSvc account in the Local Administrators group, and the others not.
Mary Beth
07-05-2005 04:55 AM
Thanks. The SQLSvc account is part of the local Administrators group on all the CCMs.
Jason
07-05-2005 09:08 AM
I think I found the issue. Look in the latest ISAPIFilter000000XX.txt file, found in C:\program files\cisco\trace\MLA folder, and you will probably see the below entries.
07/05/2005 12:48:14.569 |-->Authfilt::HttpFilterProc
07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB
07/05/2005 12:48:14.569 |-->Authfilt::IsMLAActivated
07/05/2005 12:48:14.569 |-->Authfilt::enablePowerUser()
07/05/2005 12:48:14.569 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)
07/05/2005 12:48:14.569 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326
07/05/2005 12:48:14.569 |<--Authfilt::enablePowerUser()
07/05/2005 12:48:14.569 |<--Authfilt::IsMLAActivated
07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database initialization failed
07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter
07/05/2005 12:48:14.569 |<--Authfilt::HttpFilterProc
07/05/2005 12:48:14.569 |-->Authfilt::HttpFilterProc
07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB
07/05/2005 12:48:14.569 |-->Authfilt::IsMLAActivated
07/05/2005 12:48:14.569 |-->Authfilt::enablePowerUser()
07/05/2005 12:48:14.569 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)
07/05/2005 12:48:14.569 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326
07/05/2005 12:48:14.569 |<--Authfilt::enablePowerUser()
07/05/2005 12:48:14.569 |<--Authfilt::IsMLAActivated
07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database initialization failed
07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter
07/05/2005 12:48:14.569 |<--Authfilt::HttpFilterProc
07/05/2005 12:48:14.569 |-->Authfilt::HttpFilterProc
07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB
07/05/2005 12:48:14.569 |-->Authfilt::IsMLAActivated
07/05/2005 12:48:14.569 |-->Authfilt::enablePowerUser()
The reason it is cosmetic is because you probably have and I definitely have MLA deactivated in CCMAdmin. Anyways, the authentication information in MLA for the SQLSvc account was not updated when the adminutility.exe tool was ran.
Jason
07-05-2005 09:25 PM
Yeah thats the one Jason i am also receiving the same messages under the MLA logs.
07/05/2005 12:15:38.049 |<--Authfilt::enablePowerUser()
07/05/2005 12:15:38.049 |<--Authfilt::IsMLAActivated
07/05/2005 12:15:38.049 | Authfilt::HttpFilterProc Database initialization failed
07/05/2005 12:15:38.049 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter
07/05/2005 12:15:38.049 |<--Authfilt::HttpFilterProc
07/05/2005 12:15:38.267 |-->Authfilt::HttpFilterProc
07/05/2005 12:15:38.267 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB
07/05/2005 12:15:38.267 |-->Authfilt::IsMLAActivated
07/05/2005 12:15:38.267 |-->Authfilt::enablePowerUser()
07/05/2005 12:15:38.267 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)
07/05/2005 12:15:38.267 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326
07/05/2005 12:15:38.267 |<--Authfilt::enablePowerUser()
07/05/2005 12:15:38.267 |<--Authfilt::IsMLAActivated
07/05/2005 12:15:38.267 | Authfilt::HttpFilterProc Database initialization failed
07/05/2005 12:15:38.267 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter
07/05/2005 12:15:38.267 |<--Authfilt::HttpFilterProc
07/05/2005 12:15:38.283 |-->Authfilt::HttpFilterProc
07/05/2005 12:15:38.283 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB
07/05/2005 12:15:38.283 |-->Authfilt::IsMLAActivated
07/05/2005 12:15:38.283 |-->Authfilt::enablePowerUser()
07/05/2005 12:15:38.283 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)
07/05/2005 12:15:38.283 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326
07/05/2005 12:15:38.283 |<--Authfilt::enablePowerUser()
07/05/2005 12:15:38.283 |<--Authfilt::IsMLAActivated
07/05/2005 12:15:38.283 | Authfilt::HttpFilterProc Database initialization failed
07/05/2005 12:15:38.283 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter
07/05/2005 12:15:38.283 |<--Authfilt::HttpFilterProc
07/05/2005 12:15:38.486 |-->Authfilt::HttpFilterProc
07/05/2005 12:15:38.486 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB
07/05/2005 12:15:38.486 |-->Authfilt::IsMLAActivated
07/05/2005 12:15:38.486 |-->Authfilt::enablePowerUser()
07/05/2005 12:15:38.486 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)
07/05/2005 12:15:38.486 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326
07/05/2005 12:15:38.486 |<--Authfilt::enablePowerUser()
Plus MLA is deactivated on my server as well. Need to know how we can get around this cosmetic issue. TAC, DE any ideas???
Cheers!
Yavuz
07-05-2005 09:59 PM
Hi Yavuz,
Seems to be you are hitting:
CSCeg00750
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages registry value, the first character on the second, third and fourth string is
replaced by null string character after 4.01, 4.02 installation.
The correct data on that registry value should be the following:
RASSFM KDCSVC scecli synchpwd
Condition:
Fresh or Upgrade to 4.0(1), 4.0(2a), 4.1(1) and 4.1(2) release
Workaround:
Use the regedit to change the registry value to have above data
SQLSVC account cannot read from the windows LSA and this causes that cannot not login into the DB to look at the MLA value thus MLA login would fail.
Please let us know.
-Gonz
07-06-2005 06:10 AM
Hi Gonz,
That registry value is already there. Any other ideas?
Thanks,
Jason
07-06-2005 05:34 PM
Im having the same issue, I found the synchpwd.dll
should I re-register it?
I dont want to mess up things here.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: