Compliance Search locks default account, apparently

Last post 05-16-2018, 8:48 PM by Wwong. 8 replies.
Sort Posts: Previous Next
  • Compliance Search locks default account, apparently
    Posted: 05-11-2018, 3:49 PM

    This may sound unlikely... but we've seen it happen enough times that I'm pretty confident what I relate here is true.

    We use domain\cvadmin as our default commvault account; I'm not sure how else to define it. It's the account that the CV processes use by default whenever a login is required "behind the scenes", as it were.

    Frequently, simply using Compliance Search appears to lock this account. We login with our own credentials, not as domain\cvadmin, but anything after the login will sometimes - I don't THINK it's always - locks that account. It's happened early-early-early in the morning, when no one but me is trying to search, but it's happened at other times of the day, too.

    I THINK it (mostly) goes away for a while after I unlock the account, but it always comes back to bite us, eventually.

    Does anyone have a clue as to what would be causing this?

  • Re: Compliance Search locks default account, apparently
    Posted: 05-11-2018, 8:28 PM

    Hi Shawn

    From the review of the problem description, this could be potentially related to authentication with the WebServer. 

    Depending on how the environment is configured, the WebServer component could be on the same Server as the Compliance Search or a different Server. 

    In the Log Directory of the Webserver, there should be a webserver.log, if you can recall the time when the issue occur and marry up the time in the webserver logs, you can see if there are any specific errors that are highlighted. 

    If possible please provide those log lines, so we can help further

    Thank you 

    Winston 

  • Re: Compliance Search locks default account, apparently
    Posted: 05-14-2018, 7:45 AM

    Thank you for your reply.

    I do find a Webserver log on the compliance search server. I've attached a portion of the log from approximately the time of the failure. I can see that at 15:05:22, a successful download was possible, but... the activities of user "cswg\sgallagh" seem to be what lock the cvadmin account.

    Attachment: webserver.txt
  • Re: Compliance Search locks default account, apparently
    Posted: 05-14-2018, 8:35 AM

    Hi Shawn

    From the review of the WebServer.log

    3604  61    05/11 15:06:34 ### cswg\sgallagh ADAuthenticator:BindForAd - Exception occurred. Message [Logon failure: unknown user name or bad password.
    ], inner Exception [], source [System.DirectoryServices] stacktrace [ at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
    at System.DirectoryServices.DirectoryEntry.Bind()
    at System.DirectoryServices.DirectoryEntry.get_NativeObject()
    at DM2WebLib.Security.ADAuthenticator.BindForAd(String userAlias, String pwd, String domain, Boolean bUseSSL, String proxyHost, Boolean isJumpCloud)] targetsite [Void Bind(Boolean)]
    3604 2b8 05/11 15:06:34 ### QDecryptPasswordAnsi()() - Decryption of Password(ANSI) failed with Error code [0x103] Error string [Invalid Login/Password]
    3604 61 05/11 15:06:34 ### cswg\sgallagh ADAuthenticator:BindForAd - Exception occurred. Message [Logon failure: unknown user name or bad password.
    ], inner Exception [], source [System.DirectoryServices] stacktrace [ at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
    at System.DirectoryServices.DirectoryEntry.Bind()
    at System.DirectoryServices.DirectoryEntry.get_NativeObject()
    at DM2WebLib.Security.ADAuthenticator.BindForAd(String userAlias, String pwd, String domain, Boolean bUseSSL, String proxyHost, Boolean isJumpCloud)] targetsite [Void Bind(Boolean)]

    I can see multiple event of the same user "cswg\sgallagh" reporting Logon Failure.


    This could be related a potentially to the user continuously overwhelming the WebServer, causing the sporadic disconnection.


    Assuming you are using SSO, could you confirm whether the user "cswg\sgallagh" have the credentails saved in a browser and then clear out all the cache?


    If you block that user, and monitor the WebServer logs, can you confirm whether the same event will be logged?


    Thank you


    Winston

  • Re: Compliance Search locks default account, apparently
    Posted: 05-14-2018, 11:29 AM

    Thanks... but my user logged off, cleared her browser cache, tried searching again... and cswg\cvadmin got locked again!

     

    Maddening!

  • Re: Compliance Search locks default account, apparently
    Posted: 05-14-2018, 11:31 AM

    ...When I unlock the cvadmin account, and resume the Pending jobs, they seem to complete all right.

  • Re: Compliance Search locks default account, apparently
    Posted: 05-14-2018, 8:52 PM

    Hi Shawn 

    At this point it sounds like an environmental factor that is continuously causing the cvadmin to lock up. 

    Can you please confirm whether other process, such as email Archiving is used in the environment with the cvadmin user?

    It might be feasible to open a CommVault Ticket, as it sounds like the issue is happening more frequently

    Thank you 

    Winston

  • Re: Compliance Search locks default account, apparently
    Posted: 05-16-2018, 2:06 PM

    My sincere thanks for your suggestions.

    I did open a ticket with Support, who pushed the problem up to Development. A patch for the webserver is supposed to be in the works right now.

  • Re: Compliance Search locks default account, apparently
    Posted: 05-16-2018, 8:48 PM

    Hi Shawn

    Thanks for the feedback and happy to assist

    Please keep us posted on the findings and the potential fix for the issue. 

    Would be good to know the resolution, and share it with the forum :)

    Thank you 

    Winston 

The content of the forums, threads and posts reflects the thoughts and opinions of each author, and does not represent the thoughts, opinions, plans or strategies of Commvault Systems, Inc. ("Commvault") and Commvault undertakes no obligation to update, correct or modify any statements made in this forum. Any and all third party links, statements, comments, or feedback posted to, or otherwise provided by this forum, thread or post are not affiliated with, nor endorsed by, Commvault.
Commvault, Commvault and logo, the “CV” logo, Commvault Systems, Solving Forward, SIM, Singular Information Management, Simpana, Commvault Galaxy, Unified Data Management, QiNetix, Quick Recovery, QR, CommNet, GridStor, Vault Tracker, InnerVault, QuickSnap, QSnap, Recovery Director, CommServe, CommCell, SnapProtect, ROMS, and CommValue, are trademarks or registered trademarks of Commvault Systems, Inc. All other third party brands, products, service names, trademarks, or registered service marks are the property of and used to identify the products or services of their respective owners. All specifications are subject to change without notice.
Close
Copyright © 2018 Commvault | All Rights Reserved. | Legal | Privacy Policy