locked
Failure Audit RRS feed

  • Question

  • Has anyone experienced a failure audit each time a workflow is executed?

    Have tried running the workflow with Administrator rights.

    Have made sure the correct .NET components (.NET 3.0.0) are installed.

    The behaviour is isolated to one server environment.

    Knowledge Base article 841001 seems pertinent:

    •          You use an application that opens audited objects too frequently or that opens audited objects with greater access than the application requires. For example, the application may request full control access when the application requires only read access. When this behavior occurs, events may be generated where the referenced process is always the same application.

    I’m not sure how it is possible to “open audited objects too frequently” We are going to open them as often as we need to.

    I don’t know how we could open with greater access than the application requires either. I don’t know how the audit system can discover what access level we may potentially need.

    We run hundreds of workflows a day and the custmor is complaining that the security log is filling up.

    The customer is reluctant to modify their domain security settings.

    Any suggestions?

    This is the event:

    Event Type:        Failure Audit
    Event Source:        Security
    Event Category:        Object Access
    Event ID:        560
    Date:                10/3/2013
    Time:                9:00:20 AM
    User:                NT AUTHORITY\SYSTEM
    Computer:        W3VMOMSWH02D
    Description:
    Object Open:
             Object Server:        Security
             Object Type:        Mutant
             Object Name:        \BaseNamedObjects\windows workflow foundation 3.0.0.0
             Handle ID:        -
             Operation ID:        {5,2797104351}
             Process ID:        11188
             Image File Name:        E:\Ventyx\POBIMT.WORLD\runtime\Obvient.OSIS.WWF.Runtime.exe
             Primary User Name:        W3VMOMSWH02D$
             Primary Domain:        FENETWORK
             Primary Logon ID:        (0x0,0x3E7)
             Client User Name:        -
             Client Domain:        -
             Client Logon ID:        -
             Accesses:        DELETE
                            READ_CONTROL
                            WRITE_DAC
                            WRITE_OWNER
                            SYNCHRONIZE
                            Query mutant state

    Thursday, October 10, 2013 4:01 PM

All replies

  • Hi

    “open audited objects too frequently”

    For this issue, it's more like security problem.

    Quote from Sandesh's reply:

    To resolve this issue, use one of the following methods:
    Method 1
    Disable the Audit the access of global system objects Local Security Policy setting if you have previously enabled this setting. To do this, follow these steps:
    1.Click Start, click Run, type gpedit.msc, and then click OK.
    2.Locate the following entry:
    Console Root\Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
    3.Double-click the Audit the access of global system objects policy, click Disabled under Local Policy, and then click OK.
    4.On the Console menu, click Exit, and then restart the computer.

    Method 2
    Configure the custom application to open audited objects only as required. For example, configure the custom application to request only the minimum access that is required. If the custom application requires only read access for a specific object, assign only read access. In this case, full control access is not required.

    Refer this link for more details:  http://blogs.msdn.com/b/ericfitz/archive/2005/01/11/350848.aspx 

    hope it helps,

    Regards


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by Angie Xu Friday, October 25, 2013 1:13 AM
    • Unmarked as answer by Angie Xu Thursday, October 31, 2013 8:43 AM
    Monday, October 21, 2013 3:26 AM
  • Method 1 requires altering customer domain policies. Not a good option.

    "Method 2
    Configure the custom application to open audited objects only as required. For example, configure the custom application to request only the minimum access that is required. If the custom application requires only read access for a specific object, assign only read access. In this case, full control access is not required."

    The thing is I have searched the code for any line of code or config setting that would indicate that I am asking for full control of any object and I can't find anything. Can you give me some search phrase that I can use to search the solution?

    As far as I can tell I am not asking for full control over \BaseNamedObjects\windows workflow foundation 3.0.0.0 or anything else.


    Rob

    Friday, October 25, 2013 1:16 PM