Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Authz Logon Failures with no User Name, Domain Name, Source Network Address or Source Port

Posted on 2008-06-18
3
Medium Priority
?
1,600 Views
Last Modified: 2008-11-22
Hi there,
Across our network I seem to be getting numerous of these errors - I have pasted details below:

Logon Failure:
       Reason:            Account locked out
       User Name:      
       Domain:      
       Logon Type:      3
       Logon Process:      Authz  
       Authentication Package:      Kerberos
       Workstation Name:      ABC23S003
       Caller User Name:      ABC23S003$
       Caller Domain:      CS
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 1068
       Transited Services: -
       Source Network Address:      -
       Source Port:      -

I have looked at the PID relating to this which is svchost and hence encompasses multiple services eg audio service, browser, etc etc all of which are running just fine, and can (and have been) stopped and started.
The information above was pasted from a DC called abc23s003 - hence it is reporting this error into it's own logs, I do however have exactly the same errors appearing on multiple Member servers also.

The above event is preceded by the following:

Service Ticket Request:
       User Name:            ABC23S003$@CS.GCG.NET
       User Domain:            CS.GCG.NET
       Service Name:            host/abc23s003.cs.gcg.net
       Service ID:            -
       Ticket Options:            0x40810000
       Ticket Encryption Type:      -
       Client Address:            127.0.0.1
       Failure Code:            0x12
       Logon GUID:            -
       Transited Services:      -

I have googled about but have come up with no solutions.
Any suggestions?
0
Comment
Question by:Greencore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 39

Accepted Solution

by:
ChiefIT earned 1000 total points
ID: 21891566
I noticed the call had no domain and the user was the local computer. So, I looked up the CLID: and it appears like you are trying to run SVChost.exe from a local account. Now this should be fine if you were logging in locally and running local processes. However, it looks like your clients and server are trying to run a RPC process and that process is running as the local system.
http://support.microsoft.com/kb/890477

Look for RPC errors or application hangs or other errors that may be able to point us to the right process in the event logs. That may tell us what process we need to focus on.

To further investigate what thread SVCHOST is trying to run, you might want to Run Process monitor from sysinternal's website. However, this usually red flags processes that max out resources rather than looks for threads that are just denied service. So, I don't know how much this will help you out. There are some good tools for Process Monitor and one of them migh be what permissions the process is running as.
http://technet.microsoft.com/en-us/sysinternals/cb56073f-62a3-4ed8-9dd6-40c84cb9e2f5.aspx
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Learn about cloud computing and its benefits for small business owners.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question