Domain PC can block all authentication against a certain server

Discussion in 'Server Security' started by Al, Mar 16, 2009.

  1. Al

    Al Guest

    Hi,

    We've got a very strange issue. We have a Win2003 server, running SQL Server
    and Reporting Services 2005, and sometimes it starts to refuse (new)
    connections to these 2 services (integrated authentication).

    We have tracked the issue down to 1 particualr PC (WinXP SP3), which is
    always being used by the same user (my boss). Most of the time it's OK, and
    he can get kerberos ticket for the server / services, but sometimes he's a
    one man DoS. Have tested this by using kerbtray to purge all his tickets, and
    then getting him to connect to Reporting Services and / or SQL Server. He
    can't connect, and anyone else who hasn't already been authenticated can't
    connect after his attempt.

    Connecting to Reporting Services, we'll get the following errors in the
    Application log

    "SSPI handshake failed with error code 0x80090311 while establishing a
    connection with integrated security; the connection has been closed....."

    "Login failed for user ''. The user is not associated with a trusted SQL
    Server connection...."

    "HTTP authentication failed....."

    Once the server has gone, we can only use SQL authentication to connect to
    the SQL Server, and the server requires a reboot. Before we realised it was a
    particular server, started building a replacement server, with an identical
    set-up, and this hasn't had the same problem.

    We are running Standard SQL Server 2005 SP2, on Win2003 SP2. SQL Server and
    SSRS are both running as seperate Domain accounts. The SQL Server account has
    had it's SPN registered against the server. It's using the standard SQL
    Server port of 1433. SSRS is in it's own Appication pool on IIS, running
    under Network Service. SSRS has NOT been modified with a security extension.
    The server is also running Dynamics 10.0.

    The fact that it's it only occurs sometimes is a puzzle.

    While rebuilding the problem PC is going to happen, it's still a concern
    that another PC on the domain could cause this. So we would like to track
    down the root cause of the issue. If anyone has any ideas or suggestions,
    would love to hear them.

    Al
     
    Al, Mar 16, 2009
    #1
    1. Advertisements

  2. In
    ect to the SQL Server, and the server requires a reboot. Before
    Is his PC getting LSA 40961 and 030 errors in the event logs? I've seen
    similar issues where the PC gets these errors. It is due to the logged on
    user account not being able to renew the kerb ticket. We found it was due to
    AD restrictions on the account that prevented the workstation from renewing
    the ticket. The only way to get the PC to communicate again was to reboot
    it.


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Mar 16, 2009
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.