Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 17806 Source: MSSQLSERVER

SSPI handshake failed with error code <error code> while establishing a connection with integrated security; the connection has been closed. [CLIENT: <ip address>].
Had this event along with the event ID 18452. Server is a HP Insight Manager, and in this case, these events are caused by the database of this application. HP SIM Service was running with an account, and connection database was made with another account, actually disabled.
- Edited the file database.props to change the current account by the same account than the service HPSIM is running
- Forced new password with the mxpassword utility embedded with HP SIM
- Changed password in AD for the service account
- Changed the password on the HP SIM and OpenSSH services
- Restarted services, and everything went fine

HP Support Forum Thread 977955 (How do i change Database Connection User?) was very helpful.
In our case, the server that was showing the error had the MSSQLSERVER service running using a domain account that had a password change yesterday. All client/server applications were up and running, but all jobs started to fail and we were unable to connect to the databases on that server using SQL Server Management Studio. Restarting the service with the new credentials was the solution.
Check all accounts and computers in the delegation path for the database or for the application that accesses the database. Something in the environment changed at a client site and Event ID 18452 along with this event started occuring. Everything looked normal until we went back through the user and the computer accounts associated with the database and the web server. In the client's case, they had a web application accessing a database using windows authentication. From the web server, the page would come up. From a client system, the web site would not. We found that the domain account that the SQL server was running under had delegation disabled in active directory. After enabling delegation on the account, the error went away. We worked with Microsoft on this issue and at one point, they had us check delegation on the sql server account and web server account as well.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.