This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

A Windows API call returned error 1385.

We seem to be getting a lot of errors on our endpoints that just randomly show up.

They where working just fine and then error.

I am starting to guess that this is normal.

Examples from different PCs.

Windows 7: 00000070 There was a problem while establishing a connection to the server. Details: LogonUser ("SophosSAUxxx0", ".", ...) failed A Windows API call returned error 1385.

More of the 1450 error ones.

Windows 7: 00000070 There was a problem while establishing a connection to the server. Details: LogonUser ("SophosSAUC-PC NAME", ".", ...) failed A Windows API call returned error 1450.

What makes it even weirder is these errors don't happen all the time.  The PC will goes 3 or 5 day with "Update successfully" then a couple days with the error then back to "Update successfully".

Any ideas??

 



This thread was automatically locked due to age.
  • Hello Navar Holmes,

    1385 is ERROR_LOGON_TYPE_NOT_GRANTED - likely the SophosSAU account's Log on as service right is missing. This doesn't happen by itself, someone must have changed it.

    1450 is ERROR_NO_SYSTEM_RESOURCES, what these resources actually are is rather arcane but generally it indicates that the computer is (in the current session) at its limits. So no surprise it comes and goes.

    Christian

  • For the 1385 error nothing has changed with any of the Sophos accounts.  I know this because I am the only person who maintains SEC.

    The endpoint was working just fine and then the 1385 error.

    Could it be a DNS related issue? As SEC and Endpoints depended on DNS only for communication?

  • Hello Navar Holmes,

    as the article linked in my previous post says this is - except for DCs - a local account, you can't modify an endpoint's local accounts or security settings with SEC. It's a change in the Local Security Policy, User Rights Assignment.

    Christian

  • Sophos and I have yet to figure out why this error is happening.

    Sometimes a restart of the RMS works but this is only rarely like real rarely.

    Only a restart of the endpoint will make the error go away.

    What make is a really weird is some endpoints never generate the error.

    I do not believe it is a windows or networking or permission issue just something with the way sohpos functions.

    Yo can also see in the SEC logs for an endpoint where is works two or three time then it doesn't work for 2 or three times then it works again.

     

    If anyone else is seeing this issue please chime in.

  • Hi Navar Holmes,

    Can you PM the reference case details, so that I can follow it internally for updates?

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • More weirdness with these errors.

    The SEC was reporting the Error 1450 on a server.

    So I logged into the server with my admin account.

    Did an update now from the server and left the server logged in with my admin account.

    Came back about an hour later and the error had cleared and had an "updated successfully".

    It is looking more and more like this is an issue with the relationship between Sophos on the endpoint and endpoint's OS.

    What I have asked support is where can we clear the error either in Sophos endpoint or the OS?

    I really think it is a Sophos problem as the endpoint can always connect to the update folder location, as I have tested this on many endpoints with \\servername\updatefolder\CIDs\...

  • The SEC can communicate with endpoint.

    You can use the SEC to Update Computer Now and you can see updating process on the endpoint.

  • I came across a laptop having this "Failed API call returned error" and what it made me think is could this be caused by the laptop going to sleep.

    Then is made me wonder what about on desktop PC with the network card Power Management option enabled to "Allow the computer to turn off this device to save power".

    If the network goes to sleep then sophos can't communicate which could generate this error.

    When in most cases only a restart will clear this error.