Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SQLSvc failed Audits messages under Event viewer on Publisher

Hi,

CM 4.1(2)sr2 single Publisher

Please help me get rid of these failed audits for SQLsvc user account under Security logs on event viewer Publisher only.

I tried using adminutility and I even tried manually resetting the SQLSvc password under Local Users and groups, then updating the Services which use SQLSvc and +com DBL under components services Shut and no shut and problem still occurs even after a reboot.

Following failed audit errors for SQLSvc user account we see on the Publisher under security logs in event viewer.

Cheers!

Yavuz

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 529

Date: 6/10/2005

Time: 9:45:26 AM

User: NT AUTHORITY\SYSTEM

Computer: SYDNEYCM01

Description:

Logon Failure:

Reason: Unknown user name or bad password

User Name: SQLSvc

Domain:

Logon Type: 7

Logon Process: Advapi

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name: SYDNEYCM01

Event Type: Failure Audit

Event Source: Security

Event Category: Account Logon

Event ID: 681

Date: 6/10/2005

Time: 9:45:26 AM

User: NT AUTHORITY\SYSTEM

Computer: SYDNEYCM01

Description:

The logon to account: SQLSvc

by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

from workstation: SYDNEYCM01

failed. The error code was: 3221225578

19 REPLIES

Re: SQLSvc failed Audits messages under Event viewer on Publishe

From Microsoft:

http://support.microsoft.com/default.aspx?scid=kb;en-us;273499

The error is:

3221225578 C000006A User logon with misspelled or bad password

I do not know how you ran adminutility, but I would run it and then reboot the server.

Are you running any 3rd party applications that might be accessing the database? For clarification, are you running 4.1.2 sr1? Sr2 is not yet available.

New Member

Re: SQLSvc failed Audits messages under Event viewer on Publishe

CM 4.1(2)sr1 standalone Publisher and NO there is no 3rd party application running on this server.

In my initial post message i have mentioned that i've ran the adminutility serveral times from c:\program files\cisco\bin directory under CMD prompt as well as manually trying to reset the SQLSvc password as per doco on CCO this also included a reboot of the server serveral times.

Note: This CM server is not in a domain nor using DNS.

Strange, if i go into Component services then shutdown and start the COM+ application DBL Logon/Logoff for SQLSvc user was a successfull audit. Then if we start to search or access Device, phones, gateways on CCMAdmin page will start to see failed audits.

Any ideas??

-Yavuz

New Member

Re: SQLSvc failed Audits messages under Event viewer on Publishe

Logon Type 7 is Unlock. This event would seem to indicate that you are logged into the console as user SQLSvc, and have attempted to unlock the console with an invalid password.

http://www.windowsecurity.com/articles/Logon-Types.html

New Member

Re: SQLSvc failed Audits messages under Event viewer on Publishe

Ok, i noticed that we had Screen saver set to

logon screen saver on CM. I've just set it to NONE ran adminutility update the passwords, reboot the server but still same problem with failed audits. I am certain i have everything configured and set correctly. SQLSvc password is correct Logon locally, Logon to service is also been set correctly.

Is there something else i can try to fix these messages?

-Yavuz

New Member

Re: SQLSvc failed Audits messages under Event viewer on Publishe

Still no luck. Could somebody please help assist me with this issue?

Thanks,

Yavuz

New Member

Re: SQLSvc failed Audits messages under Event viewer on Publishe

Same issue here but I am seeing the EV failure messages on 7 out of 8 4.1(2) CCMs in the cluster. Started after running the adminutility.exe tool to correct a strange auto-registration issue. Fixed that but now I have the annoying EV failure messages. Nothing else seems to be impacted.

New Member

Re: SQLSvc failed Audits messages under Event viewer on Publishe

Ah yes this issue.. I still have'nt been able to fix these cosmetic SQLSvc messages in event viewer. Please could somebody help me ASAP with this problem?

Thanks,

Yavuz

Silver

Re: SQLSvc failed Audits messages under Event viewer on Publishe

I remember something about these security audit failures having to do with the account not being part of the server Local Administrators group when it should be, that somehow that gets changed. I don't have one handy to look at, but maybe the person with the 1 out of 8 not generating the message could check and see if that one has the SQLSvc account in the Local Administrators group, and the others not.

Mary Beth

New Member

Re: SQLSvc failed Audits messages under Event viewer on Publishe

Thanks. The SQLSvc account is part of the local Administrators group on all the CCMs.

Jason

New Member

Re: SQLSvc failed Audits messages under Event viewer on Publishe

I think I found the issue. Look in the latest ISAPIFilter000000XX.txt file, found in C:\program files\cisco\trace\MLA folder, and you will probably see the below entries.

07/05/2005 12:48:14.569 |-->Authfilt::HttpFilterProc

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:48:14.569 |-->Authfilt::IsMLAActivated

07/05/2005 12:48:14.569 |-->Authfilt::enablePowerUser()

07/05/2005 12:48:14.569 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)

07/05/2005 12:48:14.569 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326

07/05/2005 12:48:14.569 |<--Authfilt::enablePowerUser()

07/05/2005 12:48:14.569 |<--Authfilt::IsMLAActivated

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database initialization failed

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter

07/05/2005 12:48:14.569 |<--Authfilt::HttpFilterProc

07/05/2005 12:48:14.569 |-->Authfilt::HttpFilterProc

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:48:14.569 |-->Authfilt::IsMLAActivated

07/05/2005 12:48:14.569 |-->Authfilt::enablePowerUser()

07/05/2005 12:48:14.569 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)

07/05/2005 12:48:14.569 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326

07/05/2005 12:48:14.569 |<--Authfilt::enablePowerUser()

07/05/2005 12:48:14.569 |<--Authfilt::IsMLAActivated

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database initialization failed

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter

07/05/2005 12:48:14.569 |<--Authfilt::HttpFilterProc

07/05/2005 12:48:14.569 |-->Authfilt::HttpFilterProc

07/05/2005 12:48:14.569 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:48:14.569 |-->Authfilt::IsMLAActivated

07/05/2005 12:48:14.569 |-->Authfilt::enablePowerUser()

The reason it is cosmetic is because you probably have and I definitely have MLA deactivated in CCMAdmin. Anyways, the authentication information in MLA for the SQLSvc account was not updated when the adminutility.exe tool was ran.

Jason

New Member

Re: SQLSvc failed Audits messages under Event viewer on Publishe

Yeah thats the one Jason i am also receiving the same messages under the MLA logs.

07/05/2005 12:15:38.049 |<--Authfilt::enablePowerUser()

07/05/2005 12:15:38.049 |<--Authfilt::IsMLAActivated

07/05/2005 12:15:38.049 | Authfilt::HttpFilterProc Database initialization failed

07/05/2005 12:15:38.049 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter

07/05/2005 12:15:38.049 |<--Authfilt::HttpFilterProc

07/05/2005 12:15:38.267 |-->Authfilt::HttpFilterProc

07/05/2005 12:15:38.267 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:15:38.267 |-->Authfilt::IsMLAActivated

07/05/2005 12:15:38.267 |-->Authfilt::enablePowerUser()

07/05/2005 12:15:38.267 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)

07/05/2005 12:15:38.267 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326

07/05/2005 12:15:38.267 |<--Authfilt::enablePowerUser()

07/05/2005 12:15:38.267 |<--Authfilt::IsMLAActivated

07/05/2005 12:15:38.267 | Authfilt::HttpFilterProc Database initialization failed

07/05/2005 12:15:38.267 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter

07/05/2005 12:15:38.267 |<--Authfilt::HttpFilterProc

07/05/2005 12:15:38.283 |-->Authfilt::HttpFilterProc

07/05/2005 12:15:38.283 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:15:38.283 |-->Authfilt::IsMLAActivated

07/05/2005 12:15:38.283 |-->Authfilt::enablePowerUser()

07/05/2005 12:15:38.283 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)

07/05/2005 12:15:38.283 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326

07/05/2005 12:15:38.283 |<--Authfilt::enablePowerUser()

07/05/2005 12:15:38.283 |<--Authfilt::IsMLAActivated

07/05/2005 12:15:38.283 | Authfilt::HttpFilterProc Database initialization failed

07/05/2005 12:15:38.283 | Authfilt::HttpFilterProc MLA is not enabled...skip this filter

07/05/2005 12:15:38.283 |<--Authfilt::HttpFilterProc

07/05/2005 12:15:38.486 |-->Authfilt::HttpFilterProc

07/05/2005 12:15:38.486 | Authfilt::HttpFilterProc Database is not initialized...going to initialize DB

07/05/2005 12:15:38.486 |-->Authfilt::IsMLAActivated

07/05/2005 12:15:38.486 |-->Authfilt::enablePowerUser()

07/05/2005 12:15:38.486 | Authfilt::enablePowerUser() LogonUser(SQLSvc,*****)

07/05/2005 12:15:38.486 | Authfilt::enablePowerUser() *ERROR* LogonUser() failed, enum=1326

07/05/2005 12:15:38.486 |<--Authfilt::enablePowerUser()

Plus MLA is deactivated on my server as well. Need to know how we can get around this cosmetic issue. TAC, DE any ideas???

Cheers!

Yavuz

Green

Re: SQLSvc failed Audits messages under Event viewer on Publishe

Hi Yavuz,

Seems to be you are hitting:

CSCeg00750

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages registry value, the first character on the second, third and fourth string is

replaced by null string character after 4.01, 4.02 installation.

The correct data on that registry value should be the following:

RASSFM KDCSVC scecli synchpwd

Condition:

Fresh or Upgrade to 4.0(1), 4.0(2a), 4.1(1) and 4.1(2) release

Workaround:

Use the regedit to change the registry value to have above data

SQLSVC account cannot read from the windows LSA and this causes that cannot not login into the DB to look at the MLA value thus MLA login would fail.

Please let us know.

-Gonz

New Member

Re: SQLSvc failed Audits messages under Event viewer on Publishe

Hi Gonz,

That registry value is already there. Any other ideas?

Thanks,

Jason

New Member

Re: SQLSvc failed Audits messages under Event viewer on Publishe

Im having the same issue, I found the synchpwd.dll

should I re-register it?

I dont want to mess up things here.

New Member

Re: SQLSvc failed Audits messages under Event viewer on Publishe

I had opened a case w/ TAC. My TAC engineer stated that the MLA DE said adminutility should have changed the SQLSvc password in the MLA service. My TAC engineer and I cannot find the MLA service in Windows or the CCM.

I have found a fix...upgrade. The upgrade to 4.1(3)sr1, actually it was the 4.1(3) step, fixed the issue. I don't believe it was anything in the new code that fixed it. The upgrade was quite large, asked for the cluster private phrase and registered the application. I believe this process was what actually resolved the issue.

Jason

New Member

Re: SQLSvc failed Audits messages under Event viewer on Publishe

Below is how things should work. I verified that the correct value was in the registry last week. It does not seem like this piece is operating as designed.

"MLA will make use of the power user account (SQLSvc) created by CallManager for ISAPI/IIS authentication. CCMService also requires the

account with administrative privileges for activating/running the CCM services. SQLSvc account is created with admin privileges and hence ISAPI

filter can use this account. The password for this account will be stored in the local private store in all the CallManager servers during install. The

ISAPI dll will read the password from the local store to use it for IIS authentication. CallManager install will also include a dll (syncpwd.dll)

provided by MLA for synchronizing the password changes with the private store. When the power user password changes, this dll will get notified and

will update the private store so that the ISAPI dll will get the new password.

An entry has been added to the list of notification packages in the registry.

The registry value is :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages will be updated with the entry synchpwd.

CCMAdminUtility.exe (placed under C:\Program Files\Cisco\bin\ ) will be used to change the SQLSvc password."

New Member

Re: SQLSvc failed Audits messages under Event viewer on Publishe

Thanks Jason. We are due for any upgrade to 4.1(3) our our sydney office cluster (problem with failed Audits for SQLSvc account).

Was TAC or DE able to provide a bug ID or somesort of documentation stating this issue?

Cheers!

Yavuz

New Member

Re: SQLSvc failed Audits messages under Event viewer on Publishe

No they weren't. The DE stated that the adminutility would have changed the SQLSvc password for MLA. The MLA logs say otherwise. I'm still in communication w/ the TAC engineer. He's trying to replicate the issue but can't. Apparently just running the adminutility while MLA is disabled doesn't do it. I've given him a couple more specifics on my configuration. Hopefully he'll be able to recreate the issue. I'll let you know what comes of it.

Are you running CSA, NetIQ and/or McAfee? I had those disabled when running the adminutility. How about URLScan?

Jason

New Member

Re: SQLSvc failed Audits messages under Event viewer on Publishe

Thanks Jason,

Yeah.. i have no URLScan, CSA, NetIQ, Symantec, McAfee nor any 3rd party application running on my servers apart from Callmanager.

I ran adminutility.exe file from directory c:\program files\cisco\bin 15 times, even manually resetting the SQLSvc password and updating the services as well as component services DBL COM+ problem is still evident.

Cheers!

-Yavuz

221
Views
5
Helpful
19
Replies
CreatePlease login to create content