AnsweredAssumed Answered

SQL error message alert after VM Scan

Question asked by rishard on Feb 17, 2012
Latest reply on Feb 19, 2012 by rishard

We received the following error message after running a VM scan

 

"The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library."

 

This is what Microsoft had to say about this error message.

 

Details

Product:SQL Server

Event ID:17832

Source:MSSQLServer

Version:10.0

Component:SQLEngine

Symbolic Name:SRV_BAD_LOGIN_PKT

Message:The loginpacket used to open the connection is structurally invalid; the connection hasbeen closed. Please contact the vendor of the client library.%.*ls   


Explanation

The SQL Server computer was unable to process the client login packet. This may be because the packet was created improperly or because the packet was damaged during transmission. It can also be caused by the configuration of the SQL Server computer. The IP address listed is the address of the client computer.

      More Information      

When using Windows Authentication in a Kerberos environment, a client receives a Kerberos ticket that contains a Privilege Attribute Certificate (PAC). The PAC contains various types of authorization data including groups that the user is a member of, rights the user has, and what policies apply to the user. When the client receives the Kerberos ticket, the information contained in the PAC is used to generate the user's access token. The client presents the token to the SQL Server computer as part of the login packet.

    

If the token was improperly created or damaged during transmission, SQL Server cannot offer additional information about the problem.

    

When the user is a member of many groups or has many policies, the token may grow larger than normal to list them all. If the token grows larger than the     MaxTokenSize   value of the server computer, the client fails to connect with a General Network Error (GNE) and error 17832 can occur. This problem may affect only some users: users with many groups or policies. When the problem is the     MaxTokenSize   value of the server computer, error 17832 in the SQL Server error log will be accompanied by an error with state 9. For additional details about the Kerberos and     MaxTokenSize  , see     KB327825http://support.microsoft.com/kb/327825  .

  
User Action

To resolve this problem, increase the     MaxTokenSize   value of the server computer, to a size large enough to contain the largest token of any user in your organization. To research the correct token size for your organization, consider using the Tokensz application. For more information, see     http://go.microsoft.com/fwlink/?LinkId=111047http://go.microsoft.com/fwlink/?LinkId=111047  .

  Caution:   

      Incorrectly editing the registry can severely damage your system. Before making changes to the registry, we recommend that you back up any valued data on the computer.    

    

To change the MaxTokenSize on the server computer

    
  1.     On the Start menu, click Run. 
  2.     Type regedit, and then click OK. (If the User Account Control dialog box appears, click Continue.) 
  3.     Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters. 
  4.     If the MaxTokenSize parameter is not present, right-click Parameters, point to New, and then click DWORD (32-bit) Value. Name the registry entry MaxTokenSize. 
  5.     Right-click MaxTokenSize, and then click Modify. 
  6.     In the Value data box type the desired     MaxTokenSize   value.  Note:   

    Hexadecimal value ffff (decimal value 65535) is the maximum recommended token size. Providing this value would probably solve the problem, but could have negative computer-wide effects with regard to performance. We recommend that you establish the minimum     MaxTokenSize   value that allows for the largest token of any user in your organization and enter that value.

     
  7.            Click OK.       
  8.     Close Registry Editor. 
  9.     Restart the computer. 

 

What concerns me is that my intial scan profile has the authenticated box unticked, so i am not trying to authenticate to the server.

 

Has anyone experienced this before ?

 

Qualys suggested i do the following:

 

You can implement the following workarounds:
- restrict access to vulnerable service by blocking the connectivity with afirewall between the target host and the scanner
- exclude host from scan
- exclude the offending ports from scan (identify the offending ports/services)
- lower the performance setting in the Option Profile to use less parallelismas the host might simply be overloaded - rescan the target host with scanoverall performance set to low - please let me know the result

We cannot see from the scanner appliance point of view what/how exactly theservice on this target is processing our requests or
exactly which request the service does not like, ending in the error followedby the stopping of this service.
Only the software vendor is able to analyze their product and identify what ishappening on that specific environment and within the application.
We cannot see what is happening within the application. We think that almostcertainly there is a bug in the service in question.
The QualysGuard scan may place the service in some odd state.

What we should do here, and as per our procedure on dealing with this rareevent, is for our customer to open a ticket with the vendor of the product
and quote our case reference.  We will be more than happy to ship thevendor a scanner appliance and setup an account for their testing
and we can provide assistance in trying to resolve this. Qualys won't be ableto fix the software issue in the application as this product is notmaintained/released by Qualys. The vendor can analyze/identify/fix the issuewithin their application.

Looking at the error, this should be investigated with a view to releasing apatch and to secure the input from any other possible vulnerability
threats by analyzing the input sanitization to that software.

If you provide us the case number that you opened at the vendor with regards tothat application crash, contact details of the vendor support then we willcontact them and provide assistance in trying to resolve this.

 

I then rescanned the servers changing the performance settings to low as suggested but still had the same error message.

 

I will update the post as and when i have a solution

 

regards

Outcomes