SQL Server Logon Failure by Web Server ASPNET Account
Hi, all. I was successful in getting Umbraco 4 to use a trusted connection between a standalone IIS in our DMZ and an SQL Server behind a firewall using like named users with the same passwords. Then, I noticed that every minute it appeared that the ASPNET account on IIS was attempting to logon to the SQL Server and failing. I don't know much about Umbraco and am hesitant to suggest it's a bug, but I'm having a hard time understanding why this should be, too. The details follow.
Umbraco version is 4.0.2.1 (Assembly version: 1.0.3441.17657).
The web server is IIS 5 on Windows Server 2000 SP4. ASP .NET is v2. This is a standalone sever in our DMZ. Anonymous authentication is enabled using the built-in IUSR_* account. Impersonation is enabled in web.config using an account with name and password matching an account on the server hosting SQL Server.
SQL Server 2008 (v10.0.2531) is hosted on Windows Server 2008 Standard SP1 64-bit. This is a member server behind a firewall.
The following log entries repeat every minute. When I reverted to SQL Server authentication, they stopped.
Security Event Log Entry
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 12/16/2009 10:42:41 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: sqlserver.ad.company.org
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: ASPNET
Account Domain: WEBSERVER
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: WEBSERVER
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the
computer where access was attempted.
The Subject fields indicate the account on the local system which requested the
logon. This is most commonly a service such as the Server service, or a local
process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most
common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system
requested the logon.
The Network Information fields indicate where a remote logon request originated.
Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this
specific logon request.
- Transited services indicate which intermediate services have participated
in this logon request.
- Package name indicates which sub-protocol was used among the NTLM
protocols.
- Key length indicates the length of the generated session key. This will
be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2009-12-16T16:42:41.056Z" />
<EventRecordID>293847</EventRecordID>
<Correlation />
<Execution ProcessID="644" ThreadID="5816" />
<Channel>Security</Channel>
<Computer>sqlserver.ad.company.org</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">ASPNET</Data>
<Data Name="TargetDomainName">WEBSERVER</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc000006a</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp </Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">WEBSERVER</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
Application Event Log Entries (Ascending Order of Occurrence in Time)
Log Name: Application
Source: MSSQLSERVER
Date: 12/16/2009 10:42:41 AM
Event ID: 17806
Task Category: Logon
Level: Error
Keywords: Classic
User: N/A
Computer: sqlserver.ad.company.org
Description:
SSPI handshake failed with error code 0x8009030c while establishing a connection
with integrated security; the connection has been closed. [CLIENT: 74.62.89.200]
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSSQLSERVER" />
<EventID Qualifiers="49152">17806</EventID>
<Level>2</Level>
<Task>4</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-12-16T16:42:41.000Z" />
<EventRecordID>196503</EventRecordID>
<Channel>Application</Channel>
<Computer>sqlserver.ad.company.org</Computer>
<Security />
</System>
<EventData>
<Data>8009030c</Data>
<Data> [CLIENT: 74.62.89.200]</Data>
<Binary>8E45000014000000050000004500430048004F00000000000000</Binary>
</EventData>
</Event>
Log Name: Application
Source: MSSQLSERVER
Date: 12/16/2009 10:42:41 AM
Event ID: 18452
Task Category: Logon
Level: Information
Keywords: Classic,Audit Failure
User: N/A
Computer: sqlserver.ad.columbia-stmarys.org
Description:
Login failed. The login is from an untrusted domain and cannot be used with
Windows authentication. [CLIENT: 74.62.89.200]
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSSQLSERVER" />
<EventID Qualifiers="49152">18452</EventID>
<Level>0</Level>
<Task>4</Task>
<Keywords>0x90000000000000</Keywords>
<TimeCreated SystemTime="2009-12-16T16:42:41.000Z" />
<EventRecordID>196504</EventRecordID>
<Channel>Application</Channel>
<Computer>sqlserver.ad.company.org</Computer>
<Security />
</System>
<EventData>
<Data> [CLIENT: 74.62.89.200]</Data>
<Binary>144800000E000000050000004500430048004F000000070000006D00610073007400650072000000</Binary>
</EventData>
</Event>
SQL Server Log Entries (Ascending Order of Occurrence in Time)
Date 12/16/2009 10:42:41 AM
Log SQL Server (Archive #1 - 12/16/2009 11:09:00 AM)
Source Logon
Message
Login failed. The login is from an untrusted domain and cannot be used with
Windows authentication. [CLIENT: nnn.nnn.nnn.nnn]
Date 12/16/2009 10:42:41 AM
Log SQL Server (Archive #1 - 12/16/2009 11:09:00 AM)
Source Logon
Message
Error: 18452, Severity: 14, State: 1.
Date 12/16/2009 10:42:41 AM
Log SQL Server (Archive #1 - 12/16/2009 11:09:00 AM)
Source Logon
Message
SSPI handshake failed with error code 0x8009030c while establishing a connection
with integrated security; the connection has been closed. [CLIENT:
nnn.nnn.nnn.nnn]
Date 12/16/2009 10:42:41 AM
Log SQL Server (Archive #1 - 12/16/2009 11:09:00 AM)
Source Logon
Message
Error: 17806, Severity: 20, State: 2.
SQL Server Logon Failure by Web Server ASPNET Account
Hi, all. I was successful in getting Umbraco 4 to use a trusted connection between a standalone IIS in our DMZ and an SQL Server behind a firewall using like named users with the same passwords. Then, I noticed that every minute it appeared that the ASPNET account on IIS was attempting to logon to the SQL Server and failing. I don't know much about Umbraco and am hesitant to suggest it's a bug, but I'm having a hard time understanding why this should be, too. The details follow.
Umbraco version is 4.0.2.1 (Assembly version: 1.0.3441.17657).
The web server is IIS 5 on Windows Server 2000 SP4. ASP .NET is v2. This is a standalone sever in our DMZ. Anonymous authentication is enabled using the built-in IUSR_* account. Impersonation is enabled in web.config using an account with name and password matching an account on the server hosting SQL Server.
SQL Server 2008 (v10.0.2531) is hosted on Windows Server 2008 Standard SP1 64-bit. This is a member server behind a firewall.
The following log entries repeat every minute. When I reverted to SQL Server authentication, they stopped.
Security Event Log Entry
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 12/16/2009 10:42:41 AM Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: sqlserver.ad.company.org Description: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ASPNET Account Domain: WEBSERVER Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: WEBSERVER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> <EventID>4625</EventID> <Version>0</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2009-12-16T16:42:41.056Z" /> <EventRecordID>293847</EventRecordID> <Correlation /> <Execution ProcessID="644" ThreadID="5816" /> <Channel>Security</Channel> <Computer>sqlserver.ad.company.org</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-0-0</Data> <Data Name="SubjectUserName">-</Data> <Data Name="SubjectDomainName">-</Data> <Data Name="SubjectLogonId">0x0</Data> <Data Name="TargetUserSid">S-1-0-0</Data> <Data Name="TargetUserName">ASPNET</Data> <Data Name="TargetDomainName">WEBSERVER</Data> <Data Name="Status">0xc000006d</Data> <Data Name="FailureReason">%%2313</Data> <Data Name="SubStatus">0xc000006a</Data> <Data Name="LogonType">3</Data> <Data Name="LogonProcessName">NtLmSsp </Data> <Data Name="AuthenticationPackageName">NTLM</Data> <Data Name="WorkstationName">WEBSERVER</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x0</Data> <Data Name="ProcessName">-</Data> <Data Name="IpAddress">-</Data> <Data Name="IpPort">-</Data> </EventData> </Event>Application Event Log Entries (Ascending Order of Occurrence in Time)
Log Name: Application Source: MSSQLSERVER Date: 12/16/2009 10:42:41 AM Event ID: 17806 Task Category: Logon Level: Error Keywords: Classic User: N/A Computer: sqlserver.ad.company.org Description: SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: 74.62.89.200] Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSSQLSERVER" /> <EventID Qualifiers="49152">17806</EventID> <Level>2</Level> <Task>4</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2009-12-16T16:42:41.000Z" /> <EventRecordID>196503</EventRecordID> <Channel>Application</Channel> <Computer>sqlserver.ad.company.org</Computer> <Security /> </System> <EventData> <Data>8009030c</Data> <Data> [CLIENT: 74.62.89.200]</Data> <Binary>8E45000014000000050000004500430048004F00000000000000</Binary> </EventData> </Event> Log Name: Application Source: MSSQLSERVER Date: 12/16/2009 10:42:41 AM Event ID: 18452 Task Category: Logon Level: Information Keywords: Classic,Audit Failure User: N/A Computer: sqlserver.ad.columbia-stmarys.org Description: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: 74.62.89.200] Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSSQLSERVER" /> <EventID Qualifiers="49152">18452</EventID> <Level>0</Level> <Task>4</Task> <Keywords>0x90000000000000</Keywords> <TimeCreated SystemTime="2009-12-16T16:42:41.000Z" /> <EventRecordID>196504</EventRecordID> <Channel>Application</Channel> <Computer>sqlserver.ad.company.org</Computer> <Security /> </System> <EventData> <Data> [CLIENT: 74.62.89.200]</Data> <Binary>144800000E000000050000004500430048004F000000070000006D00610073007400650072000000</Binary> </EventData> </Event>SQL Server Log Entries (Ascending Order of Occurrence in Time)
is working on a reply...