?
Solved

Logon failure every day from SID s-1-0-0 which refers to a nobody account What is causing it?

Posted on 2009-12-18
2
Medium Priority
?
6,546 Views
Last Modified: 2013-11-30
I get this event on both DC's in my network every day at about 4 hr intervals.
I can't seem to find the cause. obviously there isnt an account named Nobody on the workstation that is making the failed network logon attempt. Port 3732 isnt a well known port. Can anyone help?
Thank You in advance.

Event Log:  Security Event Source:  Microsoft-Windows-Security-Auditing Event ID:  4625 Research  
Severity: Failure Audit
Details: An account failed to log on.

Subject:
       Security ID:              S-1-0-0
       Account Name:              -
       Account Domain:              -
       Logon ID:              0x0

Logon Type:                     3

Account For Which Logon Failed:
       Security ID:              S-1-0-0
       Account Name:              
       Account Domain:              

Failure Information:
       Failure Reason:              An Error occured during Logon.
       Status:                     0xc000006d
       Sub Status:              0xc0000133

Process Information:
       Caller Process ID:       0x0
       Caller Process Name:       -

Network Information:
       Workstation Name:       -
       Source Network Address:       192.168.16.69
       Source Port:              3732

Detailed Authentication Information:
       Logon Process:              Kerberos
       Authentication Package:       Kerberos
       Transited Services:       -
       Package Name (NTLM only):       -
       Key Length:              0
 
0
Comment
Question by:conlin
2 Comments
 
LVL 16

Expert Comment

by:Ady Foot
ID: 26084608
According to the following Microsoft knowledgebase article, the SID S-1-0-0 means 'Nobody' which is interesting....
http://support.microsoft.com/kb/243330

This could be a problem with the computer account on the domain.  Try removing the machine from the domain and then re-adding it; this could help.  Also make sure that the time service on the workstation is set to receive its time updates from your domain controller.  This can cause kerberos authentication issues.

Regards,

Ady
0
 

Accepted Solution

by:
conlin earned 0 total points
ID: 26183137
The logon failure comes from different machines at different times of the day.  Time service is fine. and some of the machines have been removed and rejoined to the domain some haven't, Still the same issue. Added logon as a service to the quickbooksDB user, and logon failures stopped for that machine.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How does someone stay on the right and legal side of the hacking world?
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question