Hi,
I'm tearing my hair out over this one...
Every 60 seconds an error appears in the console:
9 February 2012 9:58:46 PM: Authentication Failure. Please try again. [Site: ACT01] [Server: SEPSERVER01]
- I have no issues connecting to the database (all ODBC tests successful).
- I have deleted all monitor alerts. After doing this all errors stopped.
- I then created a new monitor alert, and the error started again.
The ID in the SecurityNotifyTask-0.log (m_sNotagIdx: F90957DFDC6076B139B8E89EC68A7155) is the ID of the monitor alert I created after deleting all others.
When I investigate the local security eventlog of the server, I see three consecutive messages at the same time each "Authentication Error" is generated:
Event 4776 (Audit failure)
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: SEPMGR
Source Workstation: SEPSERVER01
Error Code: 0xc0000064
----
EventID 4648 (Audit Success)
A logon was attempted using explicit credentials.
Subject:
Security ID: SYSTEM
Account Name: SEPSERVER01$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: SEPMGR
Account Domain: MYDOMAIN
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x16e0
Process Name: E:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\SysUtil.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
--------
EventID 4624
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: SEPSERVER01$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Logon Type: 2
New Logon:
Security ID: MYDOMAIN\SEPMGR
Account Name: SEPMGR
Account Domain: MYDOMAIN
Logon ID: 0x399c90c
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x16e0
Process Name: E:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\SysUtil.exe
Network Information:
Workstation Name: SEPSERVER01
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Question:
What I don't understand is why an authentication request is being performed with a local user (sepmgr) when the user is actually a domain user (MYDOMAIN\SEPMGR).
Related errors in other logs
Content from SecurityNotifyTask-0.log
2012-02-09 21:49:46.793 FINE: Event window end time for all events: 2012-02-09 10:49:46
2012-02-09 21:49:46.809 FINE: Borrow connection from pool.
2012-02-09 21:49:46.825 FINE: processNotifications->query: select N.NOTAG_IDX, N.TYPE, N.USER_ID, N.SERVERGROUP, N.CLIENTGROUP, N.PARENTSERVER, N.COMPUTER, N.VIRUS, N.CATEGORY, N.SOURCE, N.ACTACTION, N.NTIMES, N.XMINUTES, N.EMAIL, N.HYPERLINK2, N.LASTRUN, case when N.DAMPER = 0 then 60 else N.DAMPER end, N.BATCH_FILE_NAME, N.TZ_OFFSET, N.LASTRUN_DATA, A.USER_NAME, ID.NAME as DOMAIN, N.SYSTEM_EVENT, N.SECURITY_EVENT, N.TRIGGERED, N.TZ_NAME from NOTIFICATION N INNER JOIN ADMINUSER A ON A.USER_ID=N.USER_ID LEFT OUTER JOIN IDENTITY_MAP ID ON ID.ID=A.DOMAIN_ID where N.DELETED = 0 and 1328784586793 >= N.TRIGGERED + (case when N.DAMPER = 0 then 60 else N.DAMPER end * 60000) order by N.USER_ID
2012-02-09 21:49:46.825 FINE: processNotifications->m_sNotagIdx: F90957DFDC6076B139B8E89EC68A7155
2012-02-09 21:49:46.825 FINE: Timezone Name:Australia/Melbourne, Timezone Offset:-660
2012-02-09 21:49:46.825 FINE: processNotifications->lLastRun: 1328782103000/1328782103000, 2012-02-09 21:08:23, EST, lLastTriggered:0/0, 1970-01-01 10:00:00, EST
2012-02-09 21:49:46.840 FINE: Tomcat login
2012-02-09 21:49:46.871 FINE: Borrow connection from pool.
2012-02-09 21:49:46.887 FINE: Borrow connection from pool.
2012-02-09 21:49:46.887 FINE: Return connection to pool.
2012-02-09 21:49:46.887 FINE: Return connection to pool.
2012-02-09 21:49:46.887 FINE: Return connection to pool.
2012-02-09 21:49:46.887 FINE: ------------ Thread stopped --------------
Content of scm-server-0.log
2012-02-09 21:49:46.856 INFO: LoginHandler->doLogin: version from database: 11.0.7.1
2012-02-09 21:49:46.856 INFO: LoginHandler->doLogin: version from server: 11.0.7.1
2012-02-09 21:49:46.856 INFO: LoginHandler->doLogin: version from template: 11.0.7.1
2012-02-09 21:49:46.871 SEVERE: Authentication Failure. Please try again. in: com.sygate.scm.server.task.SecurityAlertNotifyTask
com.sygate.scm.server.util.ServerException: Authentication Failure. Please try again.
at com.sygate.scm.server.task.ScheduledReportingHelper.doReportingLogin(ScheduledReportingHelper.java:459)
at com.sygate.scm.server.task.SecurityAlertNotifyTask.processNotifications(SecurityAlertNotifyTask.java:425)
at com.sygate.scm.server.task.SecurityAlertNotifyTask.run(SecurityAlertNotifyTask.java:287)
at java.util.TimerThread.mainLoop(Timer.java:512)
at java.util.TimerThread.run(Timer.java:462)
Content of Replication-0.log
2012-02-09 21:49:46.840 WARNING: Login: Before new session: session id=6707A434406207BD661A1936524BA9C0
2012-02-09 21:49:46.840 WARNING: Login: After new session: session id=6707A434406207BD661A1936524BA9C0
For reference: main-0.log
2012-02-09 17:13:18.638 SEVERE: ================== Server Environment ===================
2012-02-09 17:13:18.684 SEVERE: os.name = Windows Server 2008 R2
2012-02-09 17:13:18.684 SEVERE: os.version = 6.1
2012-02-09 17:13:18.684 SEVERE: os.arch = x86
2012-02-09 17:13:18.684 SEVERE: java.version = 1.6.0_26
2012-02-09 17:13:18.684 SEVERE: java.vendor = Sun Microsystems Inc.
2012-02-09 17:13:18.684 SEVERE: java.vm.name = Java HotSpot(TM) Client VM
2012-02-09 17:13:18.684 SEVERE: java.vm.version = 20.1-b02
2012-02-09 17:13:18.684 SEVERE: java.home = E:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre
2012-02-09 17:13:18.684 SEVERE: catalina.home = E:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat
2012-02-09 17:13:18.684 SEVERE: java.user = null
2012-02-09 17:13:18.684 SEVERE: user.language = en
2012-02-09 17:13:18.684 SEVERE: user.country = AU
2012-02-09 17:13:18.684 SEVERE: scm.server.version = 11.0.7101.1056
Please help. It does not seem to be related to reports created by users which have since been deleted, nor does it seem to be caused by database connection errors.
Thank you in advance.