Saturday, September 29, 2012

Database Mail has Locked the Domain Account

This was an incident happened to one of my colleague and I was part of troubleshooting team.   Winking smile

He was complaining that his domain account getting locked daily. Their domain has security configuration,

1. Password is expiring quarterly, every three months.

2. Three continues invalid attempts to login will lock the domain account.

Since I had the same issue before, I thought it might be a service. Once I have configured SQL Server  Express service account to login from my credential. Though I am not using this Express instance it has locked my domain account.

So I checked all the services but it went in vain.

We thought it is something to do with Outlook settings, which we reinstalled again didn’t work.

Then we stopped guessing and thought to approaching it more planned way and we started to examine the Security Log. (You would asks, “Why the hell you didn’t do that before” Angry smile)

Well, we found a clue there and it says logon failures for database mail.

Then examine the database mail configuration, yeap! we got it. SMTP authentication was set with Basic authentication instead he could have done with Windows Authentication.

image

After configuring database mail later his password has expired but since he has used basic configuration, still database mail was trying with the previous password. In his database server, there is job to send notification using database mail. with this job database mail getting executed and with that domain account is getting locked.

3 comments:

  1. Here's a major problem with the solution of using Windows Authentication: If the account gets locked out, the account used for Database Mail AND the account used to run the database engine will BOTH be locked out.

    EVERY service should have it's own security credentials. This way, you minimize the exposure and you can enforce the Principle of Least Privilege.

    For low privileged accounts (like an account used to send emails), you can set the password to never expire. Your only risk is that your account could be compromised and used to send spam. Some simple monitoring on you email server will mitigate this risk

    ReplyDelete
  2. I also faced the same problem with log-in windows7 via domain credentials after installing a new SQL ServerR2 instance. I used my domain credentials as SQL server uesr credential and once I locked my desktop I couldn't log-in again.
    The error message was: Your account is locked out and being used by another user.
    Even I restart the windows it appeared.

    finally, I wanted to reset my domain account and I re-installed the SQL server.

    Is there anything I could try.?

    ReplyDelete
  3. I forgot to mention that, it happened during the SQL Server installation. I locked my desktop for a while and tried to unlock.

    ReplyDelete