Credential Alarms Fire Hourly from SQL Server Agents and May Lock Out the Service Account (4302796)

Credential Management alarms are triggered hourly by SQL Server agents. This may result in repeated authentication attempts that eventually lock out the associated Windows service account, even when the correct password is configured.

Sample Error Messages:

Cannot establish connection to HOST.DOMAIN.COM: WinRM request to http://HOST.DOMAIN.COM:5985/wsman failed [Caused by: HttpHostConnectException]

com.quest.glue.api.services.CredentialRejectedException: AccessIsDenied (0x5) while connecting as DOMAIN\USER to HOST.DOMAIN.COM. Please ensure that the Remote Registry and Server services are running and the connecting user has permission to modify these registry keys...

Failure: Cannot establish connection to HOST.DOMAIN.COM: WinRM request to http://HOST.DOMAIN.COM:5985/wsman failed: received HTTP/401 - credentials rejected

This issue occurs due to failed attempts to collect SQL Server error logs using Windows Remote Shell (WinRM) or DCOM (WMI), particularly when:

• SQL Server agents are set to use the FALLBACK Error list collection query method.

• Required remote access permissions or services are not properly configured on the monitored host.

The fallback mechanism first attempts a WinRM/DCOM connection to retrieve logs. If this fails, it reverts to JDBC, but credential alarms may be triggered in the process.

The SQL Server agent, from version 5.7.5.1 onwards, is now using Windows Remote Shell command to get the DBSS_Error_Log_List, DBSS_SQL_Server_Error_Log, and DBSS_SQL_Agent_Error_Log collections. Windows Remote Shell Command DCOM connection is a different type of connection that also uses DCOM (WMI)/WinRM apart from the usual WindowsInfoConnection that a DBSS agent makes to get the OS Collections. 

The failed Credential Alarms occur when the DBSS agent cannot make the Remote Shell command and this is a valid alarm (when the 4 WinRM + 1 DCOM(WMI) connection attempts fail). WindowsInfoConnection may very well work but the Remote Shell command may fail, triggering the failed credential alarms.

SQL Server agents may be configured to use FALLBACK Error list collection query method, this attempts to make an OS connection using DCOM (WMI) to collect Error Log data, and then follows with a JDBC connection.

When the sufficient permissions have not been applied, credential alarms from each SQL Server agents may fire hourly.
 

Resolution 1: Switch Error Log Collection Method to JDBC

To avoid connection attempts via WinRM/DCOM and eliminate the credential alarms, change the collection method from FALLBACK to JDBC.

Option A: Update Individual SQL Server Agents

1. Go to Administration > Agents > Agent Status.

2. Select the affected SQL Server agent(s).

3. Click Edit Properties > Modify the private properties for this agent.

4. Change Error list collection query method to JDBC.

5. Click Save.

Option B: Apply Change to All SQL Server Agents

1. Navigate to Administration > Agents > Agent Status.

2. Select multiple SQL Server agents.

3. Click Edit Properties > Modify the properties for all DB_SQL_Server agents.

4. Set Error list collection query method to JDBC.

5. Click Save.

Option C: Set JDBC as the Default for Future SQL Server Agents

1. Go to Administration > Agents > Agent Properties.

2. Expand the namespace/type for DB_SQL_Server.

3. Click DB_SQL_Server.

4. Change Error list collection query method to JDBC.

5. Click Save.

Option D: Use a Groovy Script to Update All Agents

Use the following Groovy script in the Script Console (see KB 4309796 for instructions):

srvConfig = server["ConfigService"]
srvAgent = server["AgentService"]
namespace = "DB_SQL_Server"
agentType = "DB_SQL_Server"

def updateASP(primaryASP) {
    primaryASP.setValueByString("ErrorLogListQueryMode", "JDBC")
    srvConfig.saveConfig(primaryASP)
}

primaryASP = srvConfig.getAgentTypePrimaryAsp(namespace, agentType)
updateASP(primaryASP)

def allAgents = srvAgent.findByAdapterAndType("FglAM", "DB_SQL_Server")
allAgents.each { agent ->
    primaryASP = srvConfig.getAgentInstancePrimaryAsp(namespace, agentType, agent.getId())
    updateASP(primaryASP)
}

return true

To list current Error Log settings for each agent, use:

def out = new StringBuilder()
def agentService = server.get("AgentService")
def configService = server.get("ConfigService")
def agents = agentService.findByAdapterAndType("FglAM", "DB_SQL_Server")

for (agent in agents) {
    def primaryASP = configService.getAgentInstancePrimaryAsp(agent.getAgentNamespace(), agent.getTypeId(), agent.getId())
    if (primaryASP) {
        out.append(String.format("%s, %s: ErrorLogListQueryMode=%s\n", agent.getRemoteClientId(), agent.getName(), primaryASP.getString("ErrorLogListQueryMode")))
    }
}

return out.toString()

Resolution 2: Disable Error Log Collection

You may disable the error log collections entirely if they're not required:

1. Go to Administration > Agents > Agent Status.

2. Select a SQL Server agent and click Edit > Edit Properties.

3. Click Modify the private properties for this agent.

4. Clone the Collection Details list and name it (e.g., test_no_error_log).

5. In the cloned list, uncheck Collection Enable for the following collections:

   • DBSS_Error_Log_List

   • DBSS_SQL_Server_Error_Log

   • DBSS_SQL_Agent_Error_Log

6. Save and assign this cloned list to each SQL Server agent.

7. Deactivate all SQL Server agents.

8. Unlock the service account.

9. Reactivate the agents.

10. Monitor to ensure the service account no longer locks out.

Additional Notes

• WMI-based collection from a Linux FglAM requires registry modifications on the target Windows host.

• WinRM is the recommended method for Windows monitoring.

• For antivirus exclusions and service configuration, see related KB articles.

• This issue is tracked under Defect ID: FOG-5937, and may be addressed in a future release of the SQL Server cartridge.