Solved

Authz Logon Failures with no User Name, Domain Name, Source Network Address or Source Port

Posted on 2008-06-18
3
1,475 Views
Last Modified: 2008-11-22
Hi there,
Across our network I seem to be getting numerous of these errors - I have pasted details below:

Logon Failure:
       Reason:            Account locked out
       User Name:      
       Domain:      
       Logon Type:      3
       Logon Process:      Authz  
       Authentication Package:      Kerberos
       Workstation Name:      ABC23S003
       Caller User Name:      ABC23S003$
       Caller Domain:      CS
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 1068
       Transited Services: -
       Source Network Address:      -
       Source Port:      -

I have looked at the PID relating to this which is svchost and hence encompasses multiple services eg audio service, browser, etc etc all of which are running just fine, and can (and have been) stopped and started.
The information above was pasted from a DC called abc23s003 - hence it is reporting this error into it's own logs, I do however have exactly the same errors appearing on multiple Member servers also.

The above event is preceded by the following:

Service Ticket Request:
       User Name:            ABC23S003$@CS.GCG.NET
       User Domain:            CS.GCG.NET
       Service Name:            host/abc23s003.cs.gcg.net
       Service ID:            -
       Ticket Options:            0x40810000
       Ticket Encryption Type:      -
       Client Address:            127.0.0.1
       Failure Code:            0x12
       Logon GUID:            -
       Transited Services:      -

I have googled about but have come up with no solutions.
Any suggestions?
0
Comment
Question by:Greencore
3 Comments
 
LVL 38

Accepted Solution

by:
ChiefIT earned 250 total points
ID: 21891566
I noticed the call had no domain and the user was the local computer. So, I looked up the CLID: and it appears like you are trying to run SVChost.exe from a local account. Now this should be fine if you were logging in locally and running local processes. However, it looks like your clients and server are trying to run a RPC process and that process is running as the local system.
http://support.microsoft.com/kb/890477

Look for RPC errors or application hangs or other errors that may be able to point us to the right process in the event logs. That may tell us what process we need to focus on.

To further investigate what thread SVCHOST is trying to run, you might want to Run Process monitor from sysinternal's website. However, this usually red flags processes that max out resources rather than looks for threads that are just denied service. So, I don't know how much this will help you out. There are some good tools for Process Monitor and one of them migh be what permissions the process is running as.
http://technet.microsoft.com/en-us/sysinternals/cb56073f-62a3-4ed8-9dd6-40c84cb9e2f5.aspx
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Elevating Domain functional level 9 115
AD Replications issues 12 87
server DNS address could not be found 22 131
inplace upgrade from Windows 2003 R2 to 2012 8 51
So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now