Help us enhance your Sophos Community experience. Share your thoughts in our Sophos Community survey.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 1 subscriber
  • Views 20196 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosUpdateMgr account keep locked

Azwan

Hi Everyone,

Last visit to one of  our Sophos customer they complain that Event viewer are full with account locked error for account SophosUpdateMgr keep on locking even though Endpoint  update are using http with diffrent account use for IIS authentication at server.

Does anyone encunter such issue or probably customer iare having with their DNS issue?

:34147


This thread was automatically locked due to age.
  • 0

    Hello Azwan,

    the Event Viewer should show the workstation trying to access the server using the SophosUpdateMgr account. It could be a unmanaged computer or a managed computer with RMS problems using an outdated updating policy.

    Christian

    :34157
  • 0

    Hi Christian,

    That are one of the source issue, however managed Endpoint that update through http are also causing lockedup account. Thanks

    :34175
  • 0

    Hello Azwan,

    Endpoint that update through http are also causing lockedup account

    then they have to use this account one way or the other. If they don't have this account in their assigned policy (Primary and Secondary) and they actually comply with the policy how could they use it?

    Did this come all of a sudden and how was it detected - just by an audit of the Event Log or were there other issues?

    Christian

    :34183
  • 0

    Hi Christian,

    Yes, I was thinking why suddenly endpoint that using diffrent account for update will cause SophosUpdateMgr account locked  and this issue was detected by Event Log on  SEC server

    :34187
  • 0

    Hello Azwan,

    so you know the "offending" endpoint but it does not (seem to) use the SophosUpdateMgr account? Just to be sure I'd check iconn.cfg (and if existing iconnlocal.cfg) on the client. The AutoUpdate (ALUpdate) logs should also mention the account used for connecting.

    Christian

    :34189
  • 0

    Nope...I already check icon.cfg, updating is same as policy which using http without username & password

    :34193
  • 0

    Hello Azwan,

    so it's HTTP only and does not require credentials? And this is the same on all clients but only a few causing the lock? Or is the account locked out almost immediately? Are all the clients up to date?

    Christian

    :34199
  • 0

    Hi Christian,

    I can say that  Endpoint that have  same policy with console which using http update will locked SophosUpdateMgr account every times connect to SEC server for update. Thanks

    :34237
  • 0
    hi guys, I appear to having a similar issue. Just a quick background The recent update that killed the update tool for sophos was where it began we had change the sophosupdatemanager account password to which the .cfg files were updated. The thing is the old passwd has been in the fleet for a looong time and we are now having account lockouts to which I can't determine the source. A quick trace started with the domain controllers which pointed to the sophos AV server (management console server) looking at the eventvwr logs within there shows the account being locked out but the source is where things disappear: here is an example of the event log -------------------------------------------------------------------------------------------------------- An account failed to log on. Subject: Security ID: NETWORK SERVICE Account Name: SophosAVServer01$ Account Domain: CORP Logon ID: 0x3e4 Logon Type: 8 Account For Which Logon Failed: Security ID: NULL SID Account Name: SophosUpdateMgr Account Domain: CORP Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x1554 Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe Network Information: Workstation Name: SophosAVServer01 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 -------------------------------------------------------------------------------------------------------- as you can see it is coming from hte IIS .exe. I am unable to determine what is trying to authenticate to IIS that is causing the lockout of the AD account. Perhaps, is there a way to see what 'clients' or IP is attempting to authenticate to IIS so I can see which clients need a policy update to their new password? it's happening about the same time every 2hours.
    :34311
  • 0

    Hello EdddieP,

    there are many ways to configure IIS (and it also depends on the IIS version). Anyway, the logs are in the W3SVC1 folder usually either under %Windir%\system32\LogFiles\ or \inetpub\logs\LogFiles\.

    Christian

    :34317
Unfiltered HTML