Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Customer Service > Window logon audit event for businesslayerhost

Window logon audit event for businesslayerhost

Updated 26th July 2017

Overview

 

You notice a window logon audit event generated for businesslayerhost.exe in Windows Security Logs.

  • This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. 
  • This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.


Windows Events
5/25/2017 5.02.10 am -  5.02.19 am

Category = -12544

Subject:

                Security ID:                              S-1-0-0-Blanked

                Account Name:                       -

                Account Domain:                    -

                Logon ID:                                Blanked

                Logon GUID:                            {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:

                Account Name:                       systemAdministratorAccount2

                Account Domain:                   

                Logon GUID:                            {00000000-0000-0000-0000-000000000000}

Target Server:

                Target Server Name:              OrionServer.domain.local

                Additional Information:            OrionServer.domain.local

Process Information:

                Process ID:                              0x2ccc

                Process Name:                        C:\Program Files (x86)\SolarWinds\Orion\SolarWinds.BusinessLayerHost.exe

Network Information:

                Network Address:   -

                Port:                                        -

Environment

  • NPM 12+
  • UDT 3.2.4

 

Cause 

  • UDT Accounts are either incorrectly configured or are orphaned and need to be removed.

 

Resolution

 

  • If you are using credential ID '17' the AD controller it needs to be removed.

    You can edit AD properties and correct the ID '17' part of credentials or create correct credentials and assign it to the AD controller.  It should be http://localhost/Orion/UDT/ManageDom...ntrollers.aspx  page.


In this example, AD Polling via UDT wasnt used, so any AD Credential in UDT was removed.

 


But issue persisted with the Windows events.
Could clearly see some UDT Accounts still in Credentials table, yet not in UDT AD Polling Credentials page.

  • UDT tables show that theUDT environment has no AD UDT Capable Nodes, just L2, L3, no Type 8 = AD.
    You can check for such accounts using the following SQl and search if any UDT Owner credentials are in here.
  • SELECT TOP 1000 * FROM [dbo].[Credential]
  • SELECT TOP 1000 * FROM [dbo].[CredentialProperty]

 

UDT_NodeCapability Table:

  • Capability 2,3 = Layer 2, layer 3 Polling
  • Capability 8 = Domain Controller = NO Nodes Capable

 

Credentials Table

ID

Name

CredentialType

CredentialOwner

17

ServiceAccount

SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential

UDT

18

swADAccount

SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential

UDT

25

sysadministrator1

SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential

UDT

26

sysadministrator1

SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential

UDT

27

sysadministrator1

SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential

UDT

****************************************************

 

  • We removed any orphaned or such credentials from Orion and UDT.
  • In case its old polling jobs that are repaned, you need to rebuild all the SDF Files, JE and Collector.
  • Also remove any UDT Credentials from the 2 Credential Tables via GUI or if not showing via SQL Delete statement.
  • It should be be safe to delete if UDT isn't using any of those AD accounts.
  • This example only has UDT only polling Layer 2 or Layer 3 polling via SNMP Credentials.


Steps:

  • Step A: Proceed with rebuilding the SDF Files as shown below.
  • Step B: As for orphaned Credentials, do they show under Settings -> MANAGE Windows Credentials.
    • http://yourservername/Orion/Admin/Credentials/CredentialManager.aspx
    • Please delete them from there if they are not used.
    • If not showing in GUI, then use SQL Delete statements to delete them.
    • DELETE FROM [dbo].[Credential] where credentialID = InsertIUDTCredentialIDtodelete
    • DELETE FROM [dbo].[CredentialProperty] where credentialID = InsertIUDTCredentialIDtodelete


****************************************************

Replace the Collector Files

  1. Stop all Orion services from Orion Service Manager.
  2. Go to C:\ProgramData\Solarwinds\Collector\Data\JobsTracker.sdf and Polling Controllor.sdffile
    • Rename them to *******OLD.sdf 
  3. Then create a copy of C:\ProgramData\Solarwinds\Collector\Data\***** Blank.sdf.
    • Rename it to JobTracker.sdf and PollingControllor.sdf.
  4. This way you have the old one to revert back to and you always have a blank copy in case issue reoccurs. 
  5. Right click on properties of the .sdf you have created and deselect the read only box and click ok.


To replace one or both job engine databases:

  1. Log on to your Orion server using an account with administrative rights.
  2. Click Start > All Programs > SolarWinds Orion > Advanced Features > Orion Service Manager.
  3. Click Shutdown Everything.
    Note:
     It may take a few minutes to stop all services.
  4. If you are replacing the job engine version 1 database, complete the following steps:
    1. Make a backup copy of JobEngine35.sdf as JobEngine35.old.
      Notes:
      • The default location of this file on Windows Server 2008 is C:\ProgramData\SolarWinds\JobEngine\Data\.
    2. Make a copy of JobEngine35 - Blank.sdf and rename it as JobEngine35.sdf.
      Notes:
      • The default location of this file on Windows Server 2008 is C:\ProgramData\SolarWinds\JobEngine\Data\.
    3. Right-click JobEngine35.sdf, as renamed in the previous step.
    4. Click Properties.
    5. Clear the Read-only option.
  5. If you are replacing the job engine version 2 database, complete the following steps:
    • Make a backup copy of JobEngine35.sdf as JobEngine35.old.
      Notes:
      • The default location of this file on Windows Server 2008 is C:\ProgramData\SolarWinds\JobEngine.v2\Data\.
    • Make a copy of JobEngine35 - Blank.sdf and rename it as JobEngine35.sdf.
      Notes:
      • The default location of this file on Windows Server 2008 is C:\ProgramData\SolarWinds\JobEngine.v2\Data\.
    • Right-click JobEngine35.sdf, as renamed in the previous step.
    • Click Properties.
    • Clear the Read-only option.
  6. On your Orion server, click Start > All Programs > SolarWinds Orion > Advanced Features > Orion Service Manager.
  7. Click Start Everything.
    Note:
     It may take a few minutes to start all services.

 

****************************************************

 

 

 

Last modified
09:31, 15 Sep 2017

Tags

Classifications

Public