IIS / SQL Authentication Failure

Thoades

unread,

Jan 8, 2002, 7:32:32 AM1/8/02

to

I wonder if group would be good enough to consider the following entry which my ISP sent me on friday from their security logs.

IMO this entry is not malicious and is being caused by SQL Enterprise manager. if I go on line and start working on their server then they start getting the enclosed entries in their security logs.

My theory...

Enterprise manager is attempting to poll and connect via Named Pipes to the remote isp to check the status of the SQL Server boxes residing there and registered in my enterprise manager. The authentication failure is occuring because it is attempting to pass the credentials with which I am logged in to my domain through to the remote server. This will of course fail (which is good) but I would dearly like to stop dropping entries in the remoite server's security log.

I have searched through my msdn stuff to see if I can work out what the message means, but need some advice.

Machine details...

My domain in my office is Energycell my

PDC (NT4) is ECSERVER

my wkstation is RHOADES (win2k server)

XXXXXX is the name of the remote server running SQL7 and IIS

the snip from the security log (below) is taken from one of the servers in my IPS's data center....

The session setup to the Windows NT or Windows
                               2000 Domain Controller \\ECSERVER for the domain
                               ENERGYCELL is not responsive. The current RPC
                               call from Netlogon on \\RHOADES to \\ECSERVER has
                               been cancelled.

                                Event Type: Failure Audit
                               Event Source: Security
                               Event Category: Logon/Logoff
                               Event ID: 529
                               Date:  04/01/2002
                               Time:  15:53:59
                               User:  NT AUTHORITY\SYSTEM
                               Computer: XXXXXXX
                               Description:
                               Logon Failure:
                                Reason:  Unknown user name or bad password
                                User Name: paulr
                                Domain:  ENERGYCELL
                                Logon Type: 3
                                Logon Process: NtLmSsp
                                Authentication
                               Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
                                Workstation Name: RHOADES

Any help or ideas as to what this is folk? Im a right? Wrong? running a zombie I dont know about (Ive nbtstat ed my machine and can only see the ports etc I'd expect)

Regds

Paul R

IT Community

unread,

Jan 8, 2002, 10:19:34 AM1/8/02

to

You may find the following worth reviewing

Q175671 PRB: 80004005 ConnectionOpen (CreateFile()) Error Accessing SQL
Q159976 HOWTO: Connect to the Microsoft SQL Server through Named Pipes

While connecting to the Internet, in your browser typing in: mskb q159976 will bring up the article.

This posting is provided “AS IS” with no warranties, and confers no rights. You assume all risk for your
use. © 2001 Microsoft Corporation. All rights reserved.

Thoades

unread,

Jan 8, 2002, 12:15:44 PM1/8/02

to

Hi, thanks for that, I still have a bit of a problem though :-

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q159976

this article is relevent but concenrs the use of asp and iis, if I was connecting from iis on my computer to a remote sever running sql in the data centre then I would expect it

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q175671

This one sort of explains it better EXCEPT that it does not say that this impersonation is also undertaken through the SQL Server Management Console. If I was attempting to run code on my machine and access SQL on your server then it would be 100% correct

I have ensured that I am only ever talking to SQL server through IP by removing the named pipes protocol from my client network utility in SQL 7 but the problem seems to persist.

Any further information would be of great interest.

Regards,

Paul R. Rhoades

IT Community

unread,

Jan 8, 2002, 2:43:39 PM1/8/02

to

All mentioned q articles are for your information. I believe they are relevant and can lead to one, yet not
necessarily a direct resolution of your experienced issue. Some of the discussion may be on ASP
pages accessing a SQL server, the security principles and context are very similar other the connection
and operations are originated from a user, instead of an ASP page.

Overall, I believe the issue is likely within the authention method and what type of security SQL is
applying. Some information is available in

Q247931 INF: Authentication Methods for Connections to SQL Server in ASP

Hope this helps.

--------------------
| From: "Thoades" <PJRhoades@<noSpam>Hotmail.com>

| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 5.50.4807.1700
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700

| Message-ID: <Ox1$7bGmBHA.2080@tkmsftngp04>
| Newsgroups: microsoft.public.inetserver.iis.security
| NNTP-Posting-Host: p133.nas2.man.opaltelecom.net 62.24.142.133
| Path: cpmsftngxa09!tkmsftngxs01!tkmsftngp01!tkmsftngp04
| Xref: cpmsftngxa09 microsoft.public.inetserver.iis.security:3132
| X-Tomcat-NG: microsoft.public.inetserver.iis.security

This posting is provided “AS IS” with no warranties, and confers no rights. You assume all risk for your

Roger Abell

unread,

Jan 9, 2002, 2:17:09 AM1/9/02

to

Paul,

You did clarify that you have set the SQL client netlib to Tcp/Ip. Good.

You did not clarify how you added the remote SQL servers into

the SQL Enterprise Mgr. I would assume you have been given a

SQL internal account, and in the EntMgr connectoid properites for

the remote server it should be showing this SQL rather than Windows

integrated account for the connection.

--
Roger Abell
MS MVP (Windows Platform), MCSE, MCDBA, MCT
Associate Expert - Windows XP ExpertZone
http://www.microsoft.com/windowsxp/expertzone

"Thoades Hotmail.com>" <PJRhoades@<noSpam> wrote in message news:eHUzs9DmBHA.2024@tkmsftngp03...

Thoades

unread,

Jan 9, 2002, 9:50:44 AM1/9/02

to

Hi Group,

Thanks for all your help, I post this information for your information should it prove helpfull in the future.

points 2 note...

1 - I only have TCPIP configured in my client network tools for SQL server

2 - I have independent SQL user accounts set up for all 12 different servers registered in my admin tools, using SQL Server Authentication with unique usernames and passwords on each server. location of different servers are in different data centres, around the UK & US + local machine + local domain.

The reason my ISP was receiving authentication failures from me (and indeed several other customers) is due to the fact that my Enterprise Manager was set to Poll.

2 things from this then....

1, select Tools, Options from the MMC menu and uncheck the "poll server" check box. Problem goes away

2 - What protocol / connection type is being used to do the poll? is it pure ip? and if so why is it attempting to use pass through authentication? It may be that I've got this wrong but I would like to know. Any further info greatly appreciated.

Many thanks group.

Paul R. Rhoades

"Roger Abell" <ab...@NOSpam.asu.edu> wrote in message news:ehAckyNmBHA.2024@tkmsftngp03...