Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1633
  • Last Modified:

Authz Logon Failures with no User Name, Domain Name, Source Network Address or Source Port

Hi there,
Across our network I seem to be getting numerous of these errors - I have pasted details below:

Logon Failure:
       Reason:            Account locked out
       User Name:      
       Domain:      
       Logon Type:      3
       Logon Process:      Authz  
       Authentication Package:      Kerberos
       Workstation Name:      ABC23S003
       Caller User Name:      ABC23S003$
       Caller Domain:      CS
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 1068
       Transited Services: -
       Source Network Address:      -
       Source Port:      -

I have looked at the PID relating to this which is svchost and hence encompasses multiple services eg audio service, browser, etc etc all of which are running just fine, and can (and have been) stopped and started.
The information above was pasted from a DC called abc23s003 - hence it is reporting this error into it's own logs, I do however have exactly the same errors appearing on multiple Member servers also.

The above event is preceded by the following:

Service Ticket Request:
       User Name:            ABC23S003$@CS.GCG.NET
       User Domain:            CS.GCG.NET
       Service Name:            host/abc23s003.cs.gcg.net
       Service ID:            -
       Ticket Options:            0x40810000
       Ticket Encryption Type:      -
       Client Address:            127.0.0.1
       Failure Code:            0x12
       Logon GUID:            -
       Transited Services:      -

I have googled about but have come up with no solutions.
Any suggestions?
0
Greencore
Asked:
Greencore
1 Solution
 
ChiefITCommented:
I noticed the call had no domain and the user was the local computer. So, I looked up the CLID: and it appears like you are trying to run SVChost.exe from a local account. Now this should be fine if you were logging in locally and running local processes. However, it looks like your clients and server are trying to run a RPC process and that process is running as the local system.
http://support.microsoft.com/kb/890477

Look for RPC errors or application hangs or other errors that may be able to point us to the right process in the event logs. That may tell us what process we need to focus on.

To further investigate what thread SVCHOST is trying to run, you might want to Run Process monitor from sysinternal's website. However, this usually red flags processes that max out resources rather than looks for threads that are just denied service. So, I don't know how much this will help you out. There are some good tools for Process Monitor and one of them migh be what permissions the process is running as.
http://technet.microsoft.com/en-us/sysinternals/cb56073f-62a3-4ed8-9dd6-40c84cb9e2f5.aspx
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now