This is a very basic level question, but it could really benefit from some extra help in the diagnosis.
We have a 2005 SQL Server Named: SERVERNAME-PROD
We have a Web Apps Server that's running IIS 8.5 named: WEBAPPS-PROD
For a while we've been getting login failure notifications that read:
Login failed for user 'DOMAIN\WEBAPPS-PROD$'.[Client: IP_ADDRESS]
There are some live web apps on the web server that connect to that SQL server, but always do so through:
- App Roles
- SQL Logins
- Windows Authentication of the user
To add to the weirdness, it seems to consistently run around the same time of day, but we have no services or tasks scheduled on that server.
Questions:
Of course you can't step into our servers, but just looking for general diagnostic advice
- How is it possible that the web server itself is making calls to the database? It shouldn't even know about the name of the sql server outside of the configuration settings on the web applications.
- In what cases would a web server try to connect as itself to to a particular SQL server?
- How can we add something to trace those sort of calls to find out more information?
This is the computer object attempting to authenticate. This tells me that there is something running as a non-domain account attempting to access SQL Server.
Since it's a web server, most likely it's an webapp running in a pool using windows authentication and not properly setup with a pool owner, but it could really be so many different things.
What can you do?
Run an extended events or server side trace to see what process id (if any) is connecting from the web server. You can also check the open tcp ports and process ids on the web server side by using netstat or tcpview, etc,.
Again, chances are it's a not properly configured web app, but that should help you hunt it down.