locked
Any password change/entry causes lsass.exe error crashing server RRS feed

  • Question

  • I have installed SQL Server 2008 R2 SP2 on VM running Server 2008 R2.  I am encountering an lsass.exe error that crashes the data server each and every time I attempt to enter or change a password within SQL.  This includes backing up encryption keys for Reporting Services and sa for the Engine.    The Event Log entry is as follows:

    Application error -- faulting application lsass.exe; faulting module enpasfltv2X64.dll; exception code 0xc0000417.

    Wininit; a critical system process c:\windows\system32\lsass.exe failed with status code c0000417.  The machine must now be restarted.

    I was told the SA on the domain installed all hotfixes and SPs for the OS.

    Thoughts?

    v/r

    Mary

    Monday, October 1, 2012 7:38 PM

Answers

  • Mary,

    I have had similar problems in the past with STIG compliant systems. To resolve it I have had to remove the STIG imposed password filter. See V-1131.

    Alan

    • Marked as answer by mlfettes Thursday, October 11, 2012 10:45 PM
    Thursday, October 11, 2012 11:56 AM
  • Ray,

    Yes, I had seen that thread which matches my situation.  The server is part of a domain -- managed by an Enterprise Service (not us).  Since they manage the VMWare and the domain, they will not drop any of the VMs unless I give definitive proof that it is absolutely necessary.  They have disabled the password filter module in the lsass.exe for the domain, which was a temporary fix.  This is a secure system, and we will need to have that module to be STIG compliant.  I'm not sure what direction I should take.

    Mary

    • Proposed as answer by Shulei Chen Tuesday, October 9, 2012 9:37 AM
    • Marked as answer by Shulei Chen Wednesday, October 10, 2012 9:29 AM
    Wednesday, October 3, 2012 12:36 PM

All replies

  • Hi Mary,

    Thanks for the post.

    Is the machine in a domain? If so, please try to drop the machine from AD and re-add it to the domain, and then check if it could work. For more details, please take a look at this similar thread.

    If it doesn’t help, please provide complete SQL Server Error Log for further troubleshooting.


    Best Regards,
    Ray Chen

    • Proposed as answer by Shulei Chen Tuesday, October 9, 2012 9:37 AM
    • Marked as answer by Shulei Chen Wednesday, October 10, 2012 9:29 AM
    • Unmarked as answer by mlfettes Wednesday, October 10, 2012 6:52 PM
    Wednesday, October 3, 2012 2:50 AM
  • Ray,

    Yes, I had seen that thread which matches my situation.  The server is part of a domain -- managed by an Enterprise Service (not us).  Since they manage the VMWare and the domain, they will not drop any of the VMs unless I give definitive proof that it is absolutely necessary.  They have disabled the password filter module in the lsass.exe for the domain, which was a temporary fix.  This is a secure system, and we will need to have that module to be STIG compliant.  I'm not sure what direction I should take.

    Mary

    • Proposed as answer by Shulei Chen Tuesday, October 9, 2012 9:37 AM
    • Marked as answer by Shulei Chen Wednesday, October 10, 2012 9:29 AM
    Wednesday, October 3, 2012 12:36 PM
  • As I had stated in my first reply, the Enterprise personnel refuse to remove a machine from AD without concrete proof it is necessary.  They did not accept your post as "concrete" and insist there must be another issue causing the problem.  I'm in a bind here.
    Wednesday, October 10, 2012 6:53 PM
  • Mary,

    I have had similar problems in the past with STIG compliant systems. To resolve it I have had to remove the STIG imposed password filter. See V-1131.

    Alan

    • Marked as answer by mlfettes Thursday, October 11, 2012 10:45 PM
    Thursday, October 11, 2012 11:56 AM
  • Alan,

    That is what I expected.  Looks like we'll have to write some POAMs.  Thank you for the confirmation.

    Mary

    Thursday, October 11, 2012 10:46 PM
  • Mary,

    I have had similar problems in the past with STIG compliant systems. To resolve it I have had to remove the STIG imposed password filter. See V-1131.

    Alan

    Alan, thank you for your suggestion.  It worked for my baseline STIG'd 2008 R2 Server (not running SQL).  Before using your fix, lsass.exe was crashing in dcpromo at the Restore Mode Administration credentials page.

    Adam Bentley

    Thursday, January 24, 2013 6:44 PM
  • I had/have the same problem with joining a second domain controller to my new domain.  I'm not going to get a pass on the password filter. It needs to work right... I'm going to try re-installing and re-registering. Has anyone had any solutions for this? The last post is 2 years old.
    Wednesday, February 4, 2015 1:48 PM