locked
Error logs filling with "Login failed for user" error message RRS feed

  • Question

  • Hello.

     

    My SQL logs and Event Viewer are filled with many errors stating "Login failed for user....". The errors are logged several times per minute around the clock. The accounts being tried rotate through the accounts that are set up for SQL. At times the accounts rotate through sa, admin, and another account named for an App that uses SQL as it's database.

    Presently, it rotates through sa and the App's account name.

     

    How do I troubleshoot what is trying to log in constantly and cannot?

     

    The App works ok, so it is not a problem with the App not being able to connect to SQL.

     

    Event Viewer error message is as follows:

    Source: MSSQLSERVER

    Category: (4)

    Event ID: 17055

    Description:

    18456

    Login failed for user 'username'

     

    And in the SQL error log:

    Source: logon

    Message: Login failed for user 'username'

     

    Thanks for your help.

    KT

    Wednesday, June 25, 2008 9:12 PM

Answers

  • Hi,

    You can use profiler to capture host , username, sql command etc. Once you got the host ID you can check the connection string used by the application from that host and if needed you can update the password for that login and then try using the app again.

    Thursday, June 26, 2008 5:10 AM

All replies

  • I had a similar problem, although not quite so frequent. It originated from crystal reports whenever anyone tried to open/print a report a logon error was recorded in the logs even though the correct usr/pwd details were being used by the report (the reports opened and printed correctly and extracted the data OK).

     

    Thursday, June 26, 2008 12:26 AM
  • Hi,

    You can use profiler to capture host , username, sql command etc. Once you got the host ID you can check the connection string used by the application from that host and if needed you can update the password for that login and then try using the app again.

    Thursday, June 26, 2008 5:10 AM
  • Thanks, I am making success now in troubleshooting this issue.

     

    I see the computers and apps sending the connection requests. The app sending the request is valid, and the password is valid. For some reason, the connections fail at times. On other requests they succeed. There is no password to change, because the password used by the app is correct. How do I troubleshoot the login failing part of the time like this?

     

    And, how do I check the connection string?

     

    Thanks again for your help.

    KT

     

    Monday, June 30, 2008 5:05 PM
  • I have done some more troubleshooting and I could use some additional guidance.

     

    I used SQL profiler to audit logins and login failures.

    What I found is that one offending computer in the network started trying to login to SQL, about once per second. The accounts tried were sa, admin and root. One account would be tried for a few minutes, then it would move to another account. This went on for about 20 minutes, then stopped.

     

    I have an sa account on SQL along with others. I do not have admin or root accounts set up. It appears that some exploit is coming the that workstation.

     

    Does this sound correct, and how do I troubleshoot this?

     

    Thanks again for your help.

     

    KT

    Monday, June 30, 2008 7:29 PM