locked
Unidentified Kerberos authentication messages on SQL Servers RRS feed

  • Question

  • One of our admins noticed a strange pattern of login messages in the Windows event log on one of our SQL Servers, and after some investigation, I've found that it the same pattern can be found on most (but not all) of our SQL Servers. I cannot seem to find the source, however.

    The pattern:

    • A series of four messages related to Kerberos authentication occurs every 29 minutes on affected servers. (No, that's not a typo.)
    • The series is event IDs 552, 540, 576, and 538 (in that order) on Windows 2003 and earlier. On Windows 2008, the series is 4648, 4624, 4672, and 4634.
    • The first message in the series says that the SQL Server's service account is authenticating via Kerberos using my credentials.
    • The second and third messages relate to a login using my credentials via Kerberos and the permissions granted.
    • The fourth message is a logoff.
    • The series always happens in under 1 second.
    • I have found no indications of this pattern on any of our other Windows servers.

    I've eliminated everything I can think of:

    • No other messages in the Windows event log correlate to the messages.
    • No messages in the SQL Server logs correlate to the messages.
    • No SQL Server Agent jobs run on that scheduler.
    • Task Scheduler has no jobs on any of the affected servers.
    • Our 3rd-party job scheduler does not have any jobs that run on that schedule, nor does it have my credentials.
    • I briefly suspected a 3rd-party monitor that we use, but the messages were produced even when the monitor was completely turned off.
    • No other 3rd-party monitors are used that would have either the service account's credentials or my credentials.
    • Our linked servers use SQL Server authentication, not Windows authentication.
    • The servers are a mix of SQL Server 2000, 2005, and 2008, so it can't be related to any newer SQL Server technologies, such as Service Broker.

    Does anyone have any suggestions of anything else to check to find the cause of these messages?

    Wednesday, January 6, 2010 9:57 PM

Answers

  • The events happening in your scenario has the actions in this way

    552: Logon attempt using explicit credentials
    540: Successful Network Logon
    576: Special privileges assigned to new logon
    538: User Logoff

    makes everyone think that are certain process / tool (apart from all ones that you have mentioned clearly ) being able to access SQL server for a reason . Try to run the trace and see if there info about this login , hostname and etc.
    Also see what is happening in the sys.dm_exec_requests and sys.dm_exec_sessions when these events happen.

    Also see if it is possible for your network admins to track all connections to and from these SQL servers.


    Thanks, Leks
    Wednesday, January 6, 2010 10:25 PM

All replies

  • The events happening in your scenario has the actions in this way

    552: Logon attempt using explicit credentials
    540: Successful Network Logon
    576: Special privileges assigned to new logon
    538: User Logoff

    makes everyone think that are certain process / tool (apart from all ones that you have mentioned clearly ) being able to access SQL server for a reason . Try to run the trace and see if there info about this login , hostname and etc.
    Also see what is happening in the sys.dm_exec_requests and sys.dm_exec_sessions when these events happen.

    Also see if it is possible for your network admins to track all connections to and from these SQL servers.


    Thanks, Leks
    Wednesday, January 6, 2010 10:25 PM
  • Thanks - that helped.  The trace showed that a job for my monitoring tool was gathering some info from the OS, and that caused it to authenticate the job owner with the OS.  The job runs more frequently than every 29 minutes, but there is apparently a cache that keeps it from hitting Kerberos each time.
    Thursday, January 7, 2010 5:26 PM