Don't Underestimate the Windows Event Log

We were been working with a software vendor's engineer on an upgrade. There were some cryptic error messages from a process running on the server. But I also received a Severity 20 alert from the database server. Usually, I would start the troubleshooting process on my own. But since we were working with an engineer on the upgrade, I deferred to their expertise and sent the error messages to them.

After reviewing the error messages, the engineer asked me to look at this article. I was skeptical that adding the user account to the local security policy would actually resolve the issue since that user account was already in a group that was in the local security policy. But the blog gave some wise advice in that one should check the Windows Event security log for more information regarding the error.

Alert - Sev 20 Error: Fatal Error in Current Process' occurred on [server]

If you have Glenn Berry's SQL server alerts set up on your server, and you receive 20 alert with the following message,
SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. The logon attempt failed [CLIENT: [IP address]]
you should check the Windows Event Security log for the failed login.

In this case, the account trying to access the SQL server was locked out as confirmed by the entries in the Windows Events Log. Always check the Windows Events Log.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/10/2017 1:30:00 PM
Event ID: 4625
Task Category: Account Lockout
Level: Information
Keywords: Audit Failure
User: N/A
Computer: [sql server].cov.com
Description:
An account failed to log on.

Subject:
Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID Account Name: [account name] Account Domain: [domain]

Failure Information:
Failure Reason: Account locked out. Status: 0xC0000234 Sub Status: 0x0

Process Information:
Caller Process ID: 0x0 Caller Process Name: -

Network Information:
Workstation Name: [workstation name] Source Network Address: - Source Port: -

Detailed Authentication Information:
Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0