One of our admins noticed a strange pattern of login messages in the Windows event log on one of our SQL Servers, and after some investigation, I've found that it the same pattern can be found on most (but not all) of our SQL Servers. I cannot seem to find the source, however.
The pattern:
- A series of four messages related to Kerberos authentication occurs every 29 minutes on affected servers. (No, that's not a typo.)
- The series is event IDs 552, 540, 576, and 538 (in that order) on Windows 2003 and earlier. On Windows 2008, the series is 4648, 4624, 4672, and 4634.
- The first message in the series says that the SQL Server's service account is authenticating via Kerberos using my credentials.
- The second and third messages relate to a login using my credentials via Kerberos and the permissions granted.
- The fourth message is a logoff.
- The series always happens in under 1 second.
I've eliminated everything I can think of:
- No other messages in the Windows event log correlate to the messages.
- No messages in the SQL Server logs correlate to the messages.
- No SQL Server Agent jobs run on that scheduler.
- Task Scheduler has no jobs on any of the affected servers.
- Our 3rd-party job scheduler does not have any jobs that run on that schedule, nor does it have my credentials.
- I briefly suspected a 3rd-party monitor that we use, but the messages were produced even when the monitor was completely turned off.
- No other 3rd-party monitors are used that would have either the service account's credentials or my credentials.
- Our linked servers use SQL Server authentication, not Windows authentication.
- The servers are a mix of SQL Server 2000, 2005, and 2008, so it can't be related to any newer SQL Server technologies, such as Service Broker.
Does anyone have any suggestions of anything else to check to find the cause of these messages?
