• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1640
  • Last Modified:

Audit failures server 2008

I have a Server 2008 sp1 Standard 32bit used for hosting websites with many ips.  I am getting 4 audit failures exactly every 5 minutes.  I'll post the particulars below.  There is no account name listed and just NULL SID for id.  The source network address is always one of the private ip for a hosted site and it is always in the same subnet. Can't figure this out. Thanks

An account failed to log on.

      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            
      Account Domain:            

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      -
      Source Network Address:
      Source Port:            57711

Detailed Authentication Information:
      Logon Process:            Kerberos
      Authentication Package:      Kerberos
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

Provider[ Name] Microsoft-Windows-Security-Auditing
      [ Guid]       {54849625-5478-4994-a5ba-3e3b0328c30d}              
        EventID      4625       
        Version      0       
        Level      0       
        Task      12544       
        Opcode      0       
        Keywords      0x8010000000000000
-TimeCreated[ SystemTime]       2010-01-08T04:57:13.609Z            
        EventRecordID      2302825       
       [ ProcessID]       672              
       [ ThreadID]       1032              
       Channel      Security      
      Computer      xxxx.xxxx.xxxxxxxxx.xxx       
      SubjectUserSid      S-1-0-0      
      SubjectUserName      -       
      SubjectDomainName      -      
      SubjectLogonId      0x0       
      TargetUserSid      S-1-0-0       
      Status      0xc000006d       
      FailureReason      %%2313       
      SubStatus      0xc000006a       
      LogonType      3       
      LogonProcessName      Kerberos       
      AuthenticationPackageName      Kerberos       
      WorkstationName      -       
      TransmittedServices      -       
      LmPackageName      -       
      KeyLength      0       
      ProcessId      0x0       
      ProcessName      -       
      IpPort      57711       
  • 2
1 Solution
smillionAuthor Commented:
Well, the issue stopped abruptly this morning.  I can only corelate the turning on of another server that the server was replicating to.

If any of the above link resolved your issue then accept it, otherwise close this question by accepting your comments.

Faraz H. Khan

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now