BUG: Non-SA CmdExec Task Run on Domain Controller Causes Error

ID: Q159792

The information in this article applies to:
BUG #: 17065 (6.5)

SYMPTOMS

If a non-system administrator (SA) login creates and runs a CmdExec task on a domain controller, the following error will occur in both the task history and the Application log of Windows NT's Event Viewer:

A problem occurred while attempting to logon as the Windows NT user
'SQLExecutiveCmdExec': Logon failure: unknown user name or bad password.


WORKAROUND

To work around this problem, do one of the following:


STATUS

Microsoft has confirmed this to be a problem in Microsoft SQL Server version 6.5. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.


MORE INFORMATION

Microsoft SQL Server version 6.5 is not recommended for installation on a primary domain controller (PDC) or a backup domain controller (BDC), because these computers perform the resource-intensive tasks of maintaining and replicating the domain's security accounts database and performing network login authentications.

If you enable security auditing for logon or logoff failures, you will see event 529, indicating a logon failure, for the SQLExecutiveCmdExec account, as in the following example:

Logon Failure:
Reason: Unknown user name or bad password
User Name: SQLExecutiveCmdExec
Domain: NTServerName
Logon Type: 4
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: NTServerName


Additionally, a similar error occurs when xp_cmdshell is run by non-system administrator (SA) logins. For more information please see the following article in the Microsoft Knowledge Base:
Q159221 : BUG: Xp_cmdshell Run by Non-SA Causes Error 1326

Additional query words: 1326 privilege tsql t-sql trans-sql 


Keywords          : kbother SSrvAdmin SSrvEntMan kbbug6.50 
Version           : 6.5
Platform          : WINDOWS 
Issue type        : kbbug

Last Reviewed: April 4, 1999