cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1290
Views
5
Helpful
19
Replies

SQLSvc failed Audits messages under Event viewer on Publisher

yavuz_sab
Level 1
Level 1

Hi,

CM 4.1(2)sr2 single Publisher

Please help me get rid of these failed audits for SQLsvc user account under Security logs on event viewer Publisher only.

I tried using adminutility and I even tried manually resetting the SQLSvc password under Local Users and groups, then updating the Services which use SQLSvc and +com DBL under components services Shut and no shut and problem still occurs even after a reboot.

Following failed audit errors for SQLSvc user account we see on the Publisher under security logs in event viewer.

Cheers!

Yavuz

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 529

Date: 6/10/2005

Time: 9:45:26 AM

User: NT AUTHORITY\SYSTEM

Computer: SYDNEYCM01

Description:

Logon Failure:

Reason: Unknown user name or bad password

User Name: SQLSvc

Domain:

Logon Type: 7

Logon Process: Advapi

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name: SYDNEYCM01

Event Type: Failure Audit

Event Source: Security

Event Category: Account Logon

Event ID: 681

Date: 6/10/2005

Time: 9:45:26 AM

User: NT AUTHORITY\SYSTEM

Computer: SYDNEYCM01

Description:

The logon to account: SQLSvc

by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

from workstation: SYDNEYCM01

failed. The error code was: 3221225578

19 Replies 19

Steven Smith
Level 7
Level 7

From Microsoft:

http://support.microsoft.com/default.aspx?scid=kb;en-us;273499

The error is:

3221225578 C000006A User logon with misspelled or bad password

I do not know how you ran adminutility, but I would run it and then reboot the server.

Are you running any 3rd party applications that might be accessing the database? For clarification, are you running 4.1.2 sr1? Sr2 is not yet available.

CM 4.1(2)sr1 standalone Publisher and NO there is no 3rd party application running on this server.

In my initial post message i have mentioned that i've ran the adminutility serveral times from c:\program files\cisco\bin directory under CMD prompt as well as manually trying to reset the SQLSvc password as per doco on CCO this also included a reboot of the server serveral times.

Note: This CM server is not in a domain nor using DNS.

Strange, if i go into Component services then shutdown and start the COM+ application DBL Logon/Logoff for SQLSvc user was a successfull audit. Then if we start to search or access Device, phones, gateways on CCMAdmin page will start to see failed audits.

Any ideas??

-Yavuz

CCampbell_2
Level 1
Level 1

Logon Type 7 is Unlock. This event would seem to indicate that you are logged into the console as user SQLSvc, and have attempted to unlock the console with an invalid password.

http://www.windowsecurity.com/articles/Logon-Types.html

Ok, i noticed that we had Screen saver set to

logon screen saver on CM. I've just set it to NONE ran adminutility update the passwords, reboot the server but still same problem with failed audits. I am certain i have everything configured and set correctly. SQLSvc password is correct Logon locally, Logon to service is also been set correctly.

Is there something else i can try to fix these messages?

-Yavuz

Still no luck. Could somebody please help assist me with this issue?

Thanks,

Yavuz

Same issue here but I am seeing the EV failure messages on 7 out of 8 4.1(2) CCMs in the cluster. Started after running the adminutility.exe tool to correct a strange auto-registration issue. Fixed that but now I have the annoying EV failure messages. Nothing else seems to be impacted.

Ah yes this issue.. I still have'nt been able to fix these cosmetic SQLSvc messages in event viewer. Please could somebody help me ASAP with this problem?

Thanks,

Yavuz

I remember something about these security audit failures having to do with the account not being part of the server Local Administrators group when it should be, that somehow that gets changed. I don't have one handy to look at, but maybe the person with the 1 out of 8 not generating the message could check and see if that one has the SQLSvc account in the Local Administrators group, and the others not.

Mary Beth

Thanks. The SQLSvc account is part of the local Administrators group on all the CCMs.

Jason

I think I found the issue. Look in the latest ISAPIFilter000000XX.txt file, found in C:\program files\cisco\trace\MLA folder, and you will probably see the below entries.

07/05/2005 12:48:14.569 |-->Authfilt::HttpFilterProc

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:48:14.569 |-->Authfilt::IsMLAActivated

07/05/2005 12:48:14.569 |-->Authfilt::enablePowerUser()

07/05/2005 12:48:14.569 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)

07/05/2005 12:48:14.569 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326

07/05/2005 12:48:14.569 |<--Authfilt::enablePowerUser()

07/05/2005 12:48:14.569 |<--Authfilt::IsMLAActivated

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database initialization failed

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter

07/05/2005 12:48:14.569 |<--Authfilt::HttpFilterProc

07/05/2005 12:48:14.569 |-->Authfilt::HttpFilterProc

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:48:14.569 |-->Authfilt::IsMLAActivated

07/05/2005 12:48:14.569 |-->Authfilt::enablePowerUser()

07/05/2005 12:48:14.569 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)

07/05/2005 12:48:14.569 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326

07/05/2005 12:48:14.569 |<--Authfilt::enablePowerUser()

07/05/2005 12:48:14.569 |<--Authfilt::IsMLAActivated

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database initialization failed

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter

07/05/2005 12:48:14.569 |<--Authfilt::HttpFilterProc

07/05/2005 12:48:14.569 |-->Authfilt::HttpFilterProc

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:48:14.569 |-->Authfilt::IsMLAActivated

07/05/2005 12:48:14.569 |-->Authfilt::enablePowerUser()

The reason it is cosmetic is because you probably have and I definitely have MLA deactivated in CCMAdmin. Anyways, the authentication information in MLA for the SQLSvc account was not updated when the adminutility.exe tool was ran.

Jason

Yeah thats the one Jason i am also receiving the same messages under the MLA logs.

07/05/2005 12:15:38.049 |<--Authfilt::enablePowerUser()

07/05/2005 12:15:38.049 |<--Authfilt::IsMLAActivated

07/05/2005 12:15:38.049 | Authfilt::HttpFilterProc Database initialization failed

07/05/2005 12:15:38.049 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter

07/05/2005 12:15:38.049 |<--Authfilt::HttpFilterProc

07/05/2005 12:15:38.267 |-->Authfilt::HttpFilterProc

07/05/2005 12:15:38.267 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:15:38.267 |-->Authfilt::IsMLAActivated

07/05/2005 12:15:38.267 |-->Authfilt::enablePowerUser()

07/05/2005 12:15:38.267 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)

07/05/2005 12:15:38.267 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326

07/05/2005 12:15:38.267 |<--Authfilt::enablePowerUser()

07/05/2005 12:15:38.267 |<--Authfilt::IsMLAActivated

07/05/2005 12:15:38.267 | Authfilt::HttpFilterProc Database initialization failed

07/05/2005 12:15:38.267 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter

07/05/2005 12:15:38.267 |<--Authfilt::HttpFilterProc

07/05/2005 12:15:38.283 |-->Authfilt::HttpFilterProc

07/05/2005 12:15:38.283 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:15:38.283 |-->Authfilt::IsMLAActivated

07/05/2005 12:15:38.283 |-->Authfilt::enablePowerUser()

07/05/2005 12:15:38.283 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)

07/05/2005 12:15:38.283 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326

07/05/2005 12:15:38.283 |<--Authfilt::enablePowerUser()

07/05/2005 12:15:38.283 |<--Authfilt::IsMLAActivated

07/05/2005 12:15:38.283 | Authfilt::HttpFilterProc Database initialization failed

07/05/2005 12:15:38.283 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter

07/05/2005 12:15:38.283 |<--Authfilt::HttpFilterProc

07/05/2005 12:15:38.486 |-->Authfilt::HttpFilterProc

07/05/2005 12:15:38.486 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:15:38.486 |-->Authfilt::IsMLAActivated

07/05/2005 12:15:38.486 |-->Authfilt::enablePowerUser()

07/05/2005 12:15:38.486 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)

07/05/2005 12:15:38.486 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326

07/05/2005 12:15:38.486 |<--Authfilt::enablePowerUser()

Plus MLA is deactivated on my server as well. Need to know how we can get around this cosmetic issue. TAC, DE any ideas???

Cheers!

Yavuz

Hi Yavuz,

Seems to be you are hitting:

CSCeg00750

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages registry value, the first character on the second, third and fourth string is

replaced by null string character after 4.01, 4.02 installation.

The correct data on that registry value should be the following:

RASSFM KDCSVC scecli synchpwd

Condition:

Fresh or Upgrade to 4.0(1), 4.0(2a), 4.1(1) and 4.1(2) release

Workaround:

Use the regedit to change the registry value to have above data

SQLSVC account cannot read from the windows LSA and this causes that cannot not login into the DB to look at the MLA value thus MLA login would fail.

Please let us know.

-Gonz

Hi Gonz,

That registry value is already there. Any other ideas?

Thanks,

Jason

Im having the same issue, I found the synchpwd.dll

should I re-register it?

I dont want to mess up things here.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: