Microsoft SharePoint Setup Discussions
 
SQL Server
(1)
Windows Server 2008 R2
(1)
SharePoint
(1)
IIS
(1)
Enforcement
(1)
Firewall
(1)
Harish
(1)
Serif
(1)

Filtering Platform Connection Audit Failure

Asked By PGallez
27-Jan-10 12:55 PM
Reply
I am getting Event ID 5157 security log audit failures related to the
SharePoint mssearch service that I cannot resolve--all of the basic stuff
looks right to me. This a single-server implementation of WSS 3.0 SP1 on
Windows Server 2008 R2 (SP, IIS, SQL Server, and search all running on the
same machine). Can anyone suggest an effective way to troubleshoot this?

------=_NextPart_0001_62D1EDCAContent-Type:

haris replied to PGallez
27-Jan-10 04:06 PM
Reply
------=_NextPart_0001_62D1EDCA
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Administrative tools -> Sharepoint Central admin -> Operations -> services
on server -> Windows sharepoint services search -> update the password.

Harish K
------=_NextPart_0001_62D1EDCA
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\f0\fs20 Administrative tools -> Sharepoint Central admin -> Operations -> services on server -> Windows sharepoint services search -> update the password.
\par
\par Harish K
\par }
------=_NextPart_0001_62D1EDCA--

------=_NextPart_0001_63530A77Content-Type:

sunil replied to haris
27-Jan-10 06:27 PM
Reply
------=_NextPart_0001_63530A77
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

It is important to go through the details of the event log message to
identify which connection is blocked and why:

========================================================
The Windows Filtering Platform has blocked a connection.

Application Information:
Process ID:  PID

Application Name: process_name

Network Information:
Direction:  outbound or inbound
Source Address:  source_ip

Source Port:
Destination Address: des_ip

Destination Port:  ??
Protocol:  ??
========================================================

Application Layer Enforcement (ALE) Stateful Filtering
http://msdn2.microsoft.com/en-us/library/bb613463(VS.85).aspx


To disable the auditing run following commands:
auditpol /set /subcategory:"Filtering Platform Packet Drop"
/success:disable
auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable
auditpol /set /subcategory:"Filtering Platform Connection" /failure:disable

Windows Firewall feature in Windows Server 2008
http://technet2.microsoft.com/windowsserver2008/en/library/c042b3c5-dee1-4a3
1-ac35-e90e846290441033.mspx

Sunil [MSFT]
------=_NextPart_0001_63530A77
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\f0\fs20 It is important to go through the details of the event log message to identify which connection is blocked and why:
\par
\par ========================================================
\par The Windows Filtering Platform has blocked a connection.
\par
\par Application Information:
\par  Process ID:  \b PID\b0
\par
\par  Application Name: \b process_name\b0
\par
\par Network Information:
\par  Direction:  \b outbound or inbound\b0
\par  Source Address:  \b source_ip\b0
\par
\par  Source Port:
\par  Destination Address: \b des_ip\b0
\par
\par  Destination Port:  \b ??\b0
\par  Protocol:  \b ??\b0
\par ========================================================
\par
\par \b Application Layer Enforcement (ALE) Stateful Filtering\b0
\par http://msdn2.microsoft.com/en-us/library/bb613463(VS.85).aspx
\par
\par
\par \b To disable the auditing run following commands:\b0
\par auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable
\par auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:disable
\par auditpol /set /subcategory:"Filtering Platform Connection" /success:disable
\par auditpol /set /subcategory:"Filtering Platform Connection" /failure:disable
\par \b
\par Windows Firewall feature in Windows Server 2008\b0
\par http://technet2.microsoft.com/windowsserver2008/en/library/c042b3c5-dee1-4a31-ac35-e90e846290441033.mspx
\par
\par Sunil [MSFT]
\par
\par }
------=_NextPart_0001_63530A77--

Thanks, did that, also verified that the credentials were valid by logging

PGallez replied to haris
27-Jan-10 07:29 PM
Reply
Thanks, did that, also verified that the credentials were valid by logging in
to the server with the domain accounts being used for search and content
access. Didn't help. Also reviewed the SQL Server configuration for the two
accounts and it looks right too.
Thanks Sunil. See details below re error.
PGallez replied to sunil
27-Jan-10 07:34 PM
Reply
Thanks Sunil. See details below re error.

I did not do anything with the Windows Firewall feature in Server 2008 during
SP installation, as it is disabled on this server (probably due to Group
Policy). I assumed that if it was disabled, it would not be blocking anything,
so I was OK (at least as far as this audit failure goes.)
Previous Discussion:  MOSS2007 config step 6 access denied
Post Question To EggHeadCafe