Link to home
Start Free TrialLog in
Avatar of jpeterson-ee
jpeterson-eeFlag for United States of America

asked on

Event ID:4769 every 5 minutes, 100 audit failures

I have a security event that is filling up my log at a rediculous
rate. Over a period of 2-1/2 days I recieve about 130,000 events.

(event text at bottom)

I have SBS 2008 SP2 which was upgraded from SBS 2003 at the beginning
of the year. I have another domain controller that is running
Windows Server 2003R2 (also hosts BES and SEPM). I have another file
server that is NAS device runnning Windows 2000.

Now to the errors. Every 5 minutes such as 8:00 8:05 8:10 I get
100 of 4769 Audit failures.

I have yet to find any meaningful help thus far on the web. Basically
the only advice is to turn off auditing becasue it is only and
informational item and can be ignored. But still, something is
happening every 5 minutes and failing, and I did not have these
errors until recently. I can't think of anything significant that
changed to help guess why this is occurring.

There is not a 4768 success audit aftrerwards. I do find however that
95% of the time there is a success audit 4662 which refer to two
group policy objects. I tracked them down to WSUS policies for
Clients and Servers. I tried disabling these policies, but the errors
continued. I tried shutting down the services: UPdate Services and
Windows updates. The errors still persist.

I have gone through every task in the Task Scheduler to look for a
task that may be triggering the event. No corelation found.

When I look in the task manager, I see CPU usage for DataCollectorSVC, sqlsrv, and w3wp.  I started turning off services to see what happens.  Even will all the sql services stopped, I still see the sqlsrv appear.  I traced this to the instance Microsoft##SSEE. With this stopped, I still get the errors, but only 3 or 4.  w3wp is an IIS worker process.  I stopped IIS manager in the services mmc, but it did not effect w3wp, and the errors continued.  When I stoppp the DataCollectorSvc, the errors stop.  The DataCollectorSvc traces to the Windoes SBS Manager service.  I think it is polling the client computer status every 5 minutes to update the SBS console.  

The error has a failure code of 0xe which refers to an unsupported authentication type.  I'm not sure what method is being tried and failed here.

As I write this, I recall that recently we installed a new database for the accounting department.  They required SQL express 2008.  SBS monitoring uses 2005.  They seem to be coexisting fine but perhaps this error is the result.  I can use the SQL Management studio to connect to the new accounting database and SBSmonitoring, but not Microsoft##SSEE.  ##SSEE is also called the Windows Internal Database.  Maybe we are never given access to this.  I don't know.

Also, I have renamed the default admin account through group policy.  This was in place from the begining.  Recently, I changed the name again.

I'll continue to look for a solution, but in the meantime, any help would be greatly
apprecieated.

Below is one of the events with certain portions x'ed out.

Log Name:     Security
Source:        Microsoft-Windows-Security-Auditing
Date:         5/10/2010 10:20:01 AM
Event ID:     4769
Task Category: Kerberos Service Ticket Operations
Level:         Information
Keywords:     Audit Failure
User:         N/A
Computer:     X.X.LOCAL
Description:
A Kerberos service ticket was requested.

Account Information:
Account Name:        X$@X.LOCAL
Account Domain:        X.LOCAL
Logon GUID:        {00000000-0000-0000-0000-000000000000}

Service Information:
Service Name:        krbtgt/X.LOCAL
Service ID:        NULL SID

Network Information:
Client Address:        ::1
Client Port:        0

Additional Information:
Ticket Options:        0x60810010
Ticket Encryption Type:    0xffffffff
Failure Code:        0xe
Transited Services:    -

This event is generated every time access is requested to a resource
such as a computer or a Windows service. The service name indicates
the resource to which access was requested.

This event can be correlated with Windows logon events by comparing
the Logon GUID fields in each event. The logon event occurs on the
machine that was accessed, which is often a different machine than
the domain controller which issued the service ticket.
Avatar of jpeterson-ee
jpeterson-ee
Flag of United States of America image

ASKER

I have since found that it is by design, that I do not have access to the Microsoft##SSEE database.  I still think that the WSUS has something to do with this because of the sucessful audits to the group policies relating to WSUS.
Avatar of bbao
in what particular reason the auditing function has been enabled??
I guess you would have to ask Microsoft that.  It's a security audit failure notice.  Seems like you would want to know when somehting fails, especially 100 times every 5 minutes.  

Lately the errors have been on and off.  They stoped for a day then started for half a day then stopped again.  Nothing in the error logs to suggest a change of why they start or stop.  

I have also noticed error 2803 popping up in the app log relating to the monitoring database.  The occur just after the audit failures, but sometimes they still occur even when the errors have stopped.
Seems like this website is losing popularity.  The last few questions I posted have not resulted in any help.  Also when reading posts on different matters, the accepted solution is sometimes not a solution at all or refers to an unrelated post that has no solution.  Many posts are just abandoned.  Don't think I will be renewing what was once a fantastic service.
Avatar of Dave Mc
Dave Mc

Not sure if it's too late for you, but I was having a similar issue with failures every 5 minutes & came across the following article.  It helped me out...

http://blogs.technet.com/b/sbs/archive/2009/06/23/update-services-in-sbs-2008.aspx

-Dave
Thanks for the suggestion Dave.  I'm not getting that error when I run the BPA, but I will go over the article again to make sure I have all the default settings correct anyway.
ASKER CERTIFIED SOLUTION
Avatar of Dave Mc
Dave Mc

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial