We received the following error message after running a VM scan
"The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library."
This is what Microsoft had to say about this error message.
Message:The loginpacket used to open the connection is structurally invalid; the connection hasbeen closed. Please contact the vendor of the client library.%.*ls
The SQL Server computer was unable to process the client login packet. This may be because the packet was created improperly or because the packet was damaged during transmission. It can also be caused by the configuration of the SQL Server computer. The IP address listed is the address of the client computer.More Information
When using Windows Authentication in a Kerberos environment, a client receives a Kerberos ticket that contains a Privilege Attribute Certificate (PAC). The PAC contains various types of authorization data including groups that the user is a member of, rights the user has, and what policies apply to the user. When the client receives the Kerberos ticket, the information contained in the PAC is used to generate the user's access token. The client presents the token to the SQL Server computer as part of the login packet.
If the token was improperly created or damaged during transmission, SQL Server cannot offer additional information about the problem.
When the user is a member of many groups or has many policies, the token may grow larger than normal to list them all. If the token grows larger than the MaxTokenSize value of the server computer, the client fails to connect with a General Network Error (GNE) and error 17832 can occur. This problem may affect only some users: users with many groups or policies. When the problem is the MaxTokenSize value of the server computer, error 17832 in the SQL Server error log will be accompanied by an error with state 9. For additional details about the Kerberos and MaxTokenSize , see KB327825http://support.microsoft.com/kb/327825 .
To resolve this problem, increase the MaxTokenSize value of the server computer, to a size large enough to contain the largest token of any user in your organization. To research the correct token size for your organization, consider using the Tokensz application. For more information, see http://go.microsoft.com/fwlink/?LinkId=111047http://go.microsoft.com/fwlink/?LinkId=111047 .Caution:
Incorrectly editing the registry can severely damage your system. Before making changes to the registry, we recommend that you back up any valued data on the computer.
To change the MaxTokenSize on the server computer
What concerns me is that my intial scan profile has the authenticated box unticked, so i am not trying to authenticate to the server.
Has anyone experienced this before ?
Qualys suggested i do the following:
You can implement the following workarounds:
- restrict access to vulnerable service by blocking the connectivity with afirewall between the target host and the scanner
- exclude host from scan
- exclude the offending ports from scan (identify the offending ports/services)
- lower the performance setting in the Option Profile to use less parallelismas the host might simply be overloaded - rescan the target host with scanoverall performance set to low - please let me know the result
We cannot see from the scanner appliance point of view what/how exactly theservice on this target is processing our requests or
exactly which request the service does not like, ending in the error followedby the stopping of this service.
Only the software vendor is able to analyze their product and identify what ishappening on that specific environment and within the application.
We cannot see what is happening within the application. We think that almostcertainly there is a bug in the service in question.
The QualysGuard scan may place the service in some odd state.
What we should do here, and as per our procedure on dealing with this rareevent, is for our customer to open a ticket with the vendor of the product
and quote our case reference. We will be more than happy to ship thevendor a scanner appliance and setup an account for their testing
and we can provide assistance in trying to resolve this. Qualys won't be ableto fix the software issue in the application as this product is notmaintained/released by Qualys. The vendor can analyze/identify/fix the issuewithin their application.
Looking at the error, this should be investigated with a view to releasing apatch and to secure the input from any other possible vulnerability
threats by analyzing the input sanitization to that software.
If you provide us the case number that you opened at the vendor with regards tothat application crash, contact details of the vendor support then we willcontact them and provide assistance in trying to resolve this.
I then rescanned the servers changing the performance settings to low as suggested but still had the same error message.
I will update the post as and when i have a solution