This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 3%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
This is the audit log in SQL Server. It shows the following login failed. From the SQL Server side, this is all I can see. What I wonder what is SMS_MP_FILE_DISPATCH_MANAGER and how do I verify what account it's running at? How do I go about troubleshooting this error further?
Date 2/4/2021 2:34:01 AM
Log Audit Collection (LoginFailed)
Event Time 02:34:01.6182729
Server Instance Name DevDB
Action ID LOGIN FAILED
Class Type LOGIN
Sequence Number 1
Succeeded False
Permission Bit Mask 0x00000000000000000000000000000000
Column Permission False
Session ID 0
Server Principal ID 0
Database Principal ID 0
Target Server Principal ID 0
Target Database Principal ID 0
Object ID 0
Session Server Principal Name
Server Principal Name NT AUTHORITY\SYSTEM
Server Principal SID NULL
Database Principal Name
Target Server Principal Name
Target Server Principal SID NULL
Target Database Principal Name
Database Name
Schema Name
Object Name
Statement Login failed for user 'NT AUTHORITY\SYSTEM'. Reason: Failed to open the explicitly specified database 'dbName'. [CLIENT: <local machine>]
Additional Information <action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"><pooled_connection>0</pooled_connection><error>0x00004818</error><state>38</state><address>local machine</address></action_info>
File Name C:\Temp\SQLAuditFiles\LoginFailed_C9114B7D-590B-48B9-8978-D40508F15326_0_132568475672460000.sqlaudit
File Offset 10240
User Defined Event ID 0
User Defined Information
Sequence Group ID 0x1D52222EBA21AE4E884DD7A55652AC6C
Transaction ID 0
Client IP local machine
Application Name SMS_MP_FILE_DISPATCH_MANAGER
Affected Rows 0
Response Rows 0
Connection Id 1429ba8e-ca3c-4391-b7e8-0792f5a655c7
Duration Milliseconds 0
Data Sensitivity Information
Message
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 1%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETP%3C/text%3E%3C/svg%3E)
That is a "System Center Configuration Manager" component.
Is there something on the SCCM side that I can verify? I've looked at the mpfdm.log and there is no error.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 30%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETH%3C/text%3E%3C/svg%3E)
SCCM was named SMS many many years ago. Nowadays it is named SCCM. I suggest you ask in sn SCCM forum, since this is where you need to fix this. All we can say from the sQL Server side is that something is trying to login to, and the database it tries to use doesn't exist or it doesn't have permissions on that database.
Hi @CharlieLor ,
> Is there something on the SCCM side that I can verify?
As Tibor mentioned, I add mem-cm-general tag for this thread, people from SCCM team will give you a better help.
Thank you for tagging the mem-cm-general. So instead of posting in two groups, I could jut tag another group. Thanks for letting me know...will definitely do that next time.
@CharlieLor
Thank you for posting in Microsoft Q&A forum.
SMS_MP_FILE_DISPATCH_MANAGER is a component of SCCM, you may check the component status to see if there any error or warning like below:
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Here's something I'm still confused about this error. Based on the audit, it said the client is <local machine> so that means it's coming from the same server that's hosting the DevDB SQL Server instance. However, SMS_MP_FILE_DISPATCH_MANAGER is not installed on the DevDB SQL Server instance. SCCM is installed in a separate VM server. So, how can <local machine> which does not have SMS_MP_FILE_DISPATCH_MANAGER installed tried to access itself with System and failed?
That's indeed mysterious.
Although, there is a possibility. The application name is taken from the connection string, so there could be a process on the local machine pretends to be SMS_MP_FILE_DISPATCH_MANAGER. I am not going deny that this sounds far-fetched, but sometimes crazy things happen.
Here is an idea to track this down, although it is not entirely recommendable from a security perspective.
Create the database in question and grant NT AUTHORITY\SYSTEM access to it. Then write a logon trigger first checks if the user is NT AUTHORITY\SYSTEM, and if so captures host_process_id and writes it to a table. Furthermore, the logon trigger would run xp_cmdshell and run a command to list all processes, redirecting the output to a file. Once you have a host_process_id, you can look for it in the file.
I would definitely be hesitant to do this in production, but given the DB name, I assume that this is a Dev instance?