Although client applications may fail to login for many reasons, Adaptive Server does not provide them with any detailed information about the login failure. This is done to avoid giving information to malintentioned users attempting to crack passwords or otherwise breach Adaptive Server’s authentication mechanisms.
However, as a system administrator, detailed information is useful for diagnosing Adaptive Server administrative or configuration problems, and it is useful to security officers for investigating attempts to breach security.
This enables auditing for all login failures:
sp_audit "login", "all", "all", "fail"
In order to provide a barrier to inappropriate use of the information, only a user granted the SSO role can access the audit trail information containing this sensitive information.
Adaptive Server audits login failures for the following conditions:
For Adaptive Server started as a Windows Service, if the Sybase SQLServer service is paused (for example, by the Microsoft Management Console for Services).
If a remote server attempts to establish a site handler for server-to-server RPCs, but insufficient resources (or any of the other conditions listed here) cause the site handler initialization to fail.
Using Adaptive Server for Windows with the Trusted Login or Unified Login configuration, but the specified user is not a trusted administrator (that is, an authentication failure).
Adaptive Server does not support the SQL interface requested by the client.
A user is attempting to log into Adaptive Server when it is in single-user mode. In single-user mode, exactly one user with the sa_role is allowed to log in to Adaptive Server. Additional logins are prevented, even if they have the sa_role.
The syslogins table in the master database fails to open, indicating the master database has an internal error.
A client attempts a remote login, but sysremotelogins cannot be opened, or there is no entry for the specified user account and no guest account exists.
A client attempts a remote login and, although it finds an entry referring to a local account for the specified user in sysremotelogins, the referenced local account does not exist.
A client program requests a security session (for example, a Kerberos authentication), but the security session could not be established because:
The Adaptive Server security subsystem was not initialized at startup.
Insufficient memory resources for allocated structures.
The authentication negotiation failed.
An authentication mechanism is not found for the specified user.
The specified password was not correct.
syslogins does not contain the required entry for the specified login.
The login account is locked.
Adaptive Server has reached its limit for the number of user connections.
The configuration parameter unified login required is set, but the login has not been authenticated by the appropriate security subsystem.
Adaptive Server’s network buffers are unavailable, or the requested packet size is invalid.
A client application requests a host-based communication socket connection, but memory resources for the host-based communication buffers are not available.
A shutdown is in progress, but the specified user does not have the SA role.
Adaptive Server could not open the default database for a login, and this login does not have access to the master database.
A client makes a high availability login failover request, but the high availability subsystem is does not have a high availability session for this login, or the login is unable to wait for the failover to complete.
A client requests a high availability login setup, but the high availability subsystem is unable to create the session or is unable to complete the TDS protocol negotiations for the high availability session.
Adaptive Server fails to setup tempdb for a login.
TDS Login Protocol errors are detected.
| Copyright © 2005. Sybase Inc. All rights reserved. |
|
|
