Solved

Microsoft Windows security auditing Event 4625

Posted on 2010-09-15
13
2,795 Views
Last Modified: 2012-05-10
I am seeing thousands of Microsoft Security Auditing event 4625's on a client's Server 2008. I looked at Microsoft's support center however they merely describe the event. It is being flagged from each machine in their DHCP range.
0
Comment
Question by:msiers
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 6

Expert Comment

by:mattconroy
ID: 33684251
0
 

Author Comment

by:msiers
ID: 33684355
I don't think that is the issue, especially since that article says issue occurs with Windows Server 2003 SP1 or XP SP2. The workstations producing this event in the Server 2008 are XP workstations, SP3.

An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Account Domain: Failure Information: Failure Reason: An Error occured during Logon. Status: 0xc000006d Sub Status: 0xc0000133 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.111.15 Source Port: 1759 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 33685083
Go here: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
The substatus code suggests that the computer clocks are not properly synchronized. Check the time on the computers that are having errors and the time on the server.
0
Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

 

Author Comment

by:msiers
ID: 33685105
We verified the time on the clock of the Domain Controller was no more than a few seconds off from the workstations. We have a Server 2008 and Server 2003 then about 4 workstations running XP sp3. Server 2008 is new install. Wondering if maybe we need to verify that Server 2008 is getting time from the 2003 server which is also Domain Controller...
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 33685140
You might also want to make sure the date is correct as well, if you haven't already. If you're getting a lot of these errors, go through the Sub Status: entry on all the events and see if they match up with the one you copied.
0
 

Author Comment

by:msiers
ID: 33685150
Every single one of them match the substatus 0x....000133
0
 

Author Comment

by:msiers
ID: 33685172
In addition: On the 2003 server, we don't get the security audit events but instead receive lots of internal-IP generated Event 537's (same status and substatus code as this event I've posted here).

We also receive TONS of external-IP generated 529 events, but think that's a separate issue for which I have posted here elsewhere.
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 33685277
0
 
LVL 40

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 33685316
Take a look at your GPOs and Local Policy to check Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy
Check the value of the Maximum Tolerance for Computer Clock Synchronization value. If that's 0, that will cause your problem. Set it to 5 if it isn't already.
0
 

Author Comment

by:msiers
ID: 33685730
I will try to do that! Thanks. Let you know how it pans out.
0
 

Author Comment

by:msiers
ID: 33686030
Logged into the 2003 Domain Controller, checked both of those configurations, each is set for 5 minutes. Going to log into the 2008 Server and verify that it gets it's time from the 2003 DC.
0
 

Expert Comment

by:bfry24
ID: 37596483
I  have checked everywhere and there does not seem to be an answer to this problem.  I have check the Computer Clock Synchronization setting in GPO and it is set to 5 minutes.  But I am still getting this error based on one UserName.  It is a domain user account set for SQL 2008 R2 (server is Windows 2008 R2) along with Log in as a server and Replace a process level token.  It is also a member of the Local Admin group.  Here is what I am getting:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
  <EventID>4625</EventID>
  <Version>0</Version>
  <Level>0</Level>
  <Task>12544</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8010000000000000</Keywords>
  <TimeCreated SystemTime="2012-02-15T00:55:21.124387800Z" />
  <EventRecordID>4688</EventRecordID>
  <Correlation />
  <Execution ProcessID="564" ThreadID="3224" />
  <Channel>Security</Channel>
  <Computer>Server.Domain.com</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-21-1757981266-1303643608-682003330-3856</Data>
  <Data Name="SubjectUserName">scesqluser</Data>
  <Data Name="SubjectDomainName">DOMAIN</Data>
  <Data Name="SubjectLogonId">0x13ec2</Data>
  <Data Name="TargetUserSid">S-1-0-0</Data>
  <Data Name="TargetUserName" />
  <Data Name="TargetDomainName" />
  <Data Name="Status">0xc000006d</Data>
  <Data Name="FailureReason">%%2313</Data>
  <Data Name="SubStatus">0xc0000064</Data>
  <Data Name="LogonType">3</Data>
  <Data Name="LogonProcessName">Authz</Data>
  <Data Name="AuthenticationPackageName">Kerberos</Data>
  <Data Name="WorkstationName">CLINADMIN</Data>
  <Data Name="TransmittedServices">-</Data>
  <Data Name="LmPackageName">-</Data>
  <Data Name="KeyLength">0</Data>
  <Data Name="ProcessId">0x634</Data>
  <Data Name="ProcessName">C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe</Data>
  <Data Name="IpAddress">-</Data>
  <Data Name="IpPort">-</Data>
  </EventData>
  </Event>

In addition, I get this Information message in the Event Viewer and not sure if the two are related:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="MSSQLSERVER" />
  <EventID Qualifiers="16384">9724</EventID>
  <Level>4</Level>
  <Task>2</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2012-02-15T00:41:29.000000000Z" />
  <EventRecordID>4929</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Server.Domain.com</Computer>
  <Security />
  </System>
- <EventData>
  <Data>[Microsoft.SystemCenter.Orchestrator.Maintenance].[MaintenanceWorker]</Data>
  <Data>SCE2012_Orchestrator.Microsoft.SystemCenter.Orchestrator.Maintenance.MaintenanceServiceQueue</Data>
  <Data>Could not obtain information about Windows NT group/user 'DOMAIN\SMSadmin', error code 0x5.</Data>
  <Binary>FC2500000A0000000A00000043004C0049004E00410044004D0049004E0000001500000053004300450032003000310032005F004F007200630068006500730074007200610074006F0072000000</Binary>
  </EventData>
  </Event>
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question