Solved

Microsoft Windows security auditing Event 4625

Posted on 2010-09-15
13
2,660 Views
Last Modified: 2012-05-10
I am seeing thousands of Microsoft Security Auditing event 4625's on a client's Server 2008. I looked at Microsoft's support center however they merely describe the event. It is being flagged from each machine in their DHCP range.
0
Comment
Question by:msiers
13 Comments
 
LVL 6

Expert Comment

by:mattconroy
ID: 33684251
0
 

Author Comment

by:msiers
ID: 33684355
I don't think that is the issue, especially since that article says issue occurs with Windows Server 2003 SP1 or XP SP2. The workstations producing this event in the Server 2008 are XP workstations, SP3.

An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Account Domain: Failure Information: Failure Reason: An Error occured during Logon. Status: 0xc000006d Sub Status: 0xc0000133 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.111.15 Source Port: 1759 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 33685083
Go here: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
The substatus code suggests that the computer clocks are not properly synchronized. Check the time on the computers that are having errors and the time on the server.
0
 

Author Comment

by:msiers
ID: 33685105
We verified the time on the clock of the Domain Controller was no more than a few seconds off from the workstations. We have a Server 2008 and Server 2003 then about 4 workstations running XP sp3. Server 2008 is new install. Wondering if maybe we need to verify that Server 2008 is getting time from the 2003 server which is also Domain Controller...
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 33685140
You might also want to make sure the date is correct as well, if you haven't already. If you're getting a lot of these errors, go through the Sub Status: entry on all the events and see if they match up with the one you copied.
0
 

Author Comment

by:msiers
ID: 33685150
Every single one of them match the substatus 0x....000133
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 

Author Comment

by:msiers
ID: 33685172
In addition: On the 2003 server, we don't get the security audit events but instead receive lots of internal-IP generated Event 537's (same status and substatus code as this event I've posted here).

We also receive TONS of external-IP generated 529 events, but think that's a separate issue for which I have posted here elsewhere.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 33685277
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 33685316
Take a look at your GPOs and Local Policy to check Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy
Check the value of the Maximum Tolerance for Computer Clock Synchronization value. If that's 0, that will cause your problem. Set it to 5 if it isn't already.
0
 

Author Comment

by:msiers
ID: 33685730
I will try to do that! Thanks. Let you know how it pans out.
0
 

Author Comment

by:msiers
ID: 33686030
Logged into the 2003 Domain Controller, checked both of those configurations, each is set for 5 minutes. Going to log into the 2008 Server and verify that it gets it's time from the 2003 DC.
0
 

Expert Comment

by:bfry24
ID: 37596483
I  have checked everywhere and there does not seem to be an answer to this problem.  I have check the Computer Clock Synchronization setting in GPO and it is set to 5 minutes.  But I am still getting this error based on one UserName.  It is a domain user account set for SQL 2008 R2 (server is Windows 2008 R2) along with Log in as a server and Replace a process level token.  It is also a member of the Local Admin group.  Here is what I am getting:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
  <EventID>4625</EventID>
  <Version>0</Version>
  <Level>0</Level>
  <Task>12544</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8010000000000000</Keywords>
  <TimeCreated SystemTime="2012-02-15T00:55:21.124387800Z" />
  <EventRecordID>4688</EventRecordID>
  <Correlation />
  <Execution ProcessID="564" ThreadID="3224" />
  <Channel>Security</Channel>
  <Computer>Server.Domain.com</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-21-1757981266-1303643608-682003330-3856</Data>
  <Data Name="SubjectUserName">scesqluser</Data>
  <Data Name="SubjectDomainName">DOMAIN</Data>
  <Data Name="SubjectLogonId">0x13ec2</Data>
  <Data Name="TargetUserSid">S-1-0-0</Data>
  <Data Name="TargetUserName" />
  <Data Name="TargetDomainName" />
  <Data Name="Status">0xc000006d</Data>
  <Data Name="FailureReason">%%2313</Data>
  <Data Name="SubStatus">0xc0000064</Data>
  <Data Name="LogonType">3</Data>
  <Data Name="LogonProcessName">Authz</Data>
  <Data Name="AuthenticationPackageName">Kerberos</Data>
  <Data Name="WorkstationName">CLINADMIN</Data>
  <Data Name="TransmittedServices">-</Data>
  <Data Name="LmPackageName">-</Data>
  <Data Name="KeyLength">0</Data>
  <Data Name="ProcessId">0x634</Data>
  <Data Name="ProcessName">C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe</Data>
  <Data Name="IpAddress">-</Data>
  <Data Name="IpPort">-</Data>
  </EventData>
  </Event>

In addition, I get this Information message in the Event Viewer and not sure if the two are related:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="MSSQLSERVER" />
  <EventID Qualifiers="16384">9724</EventID>
  <Level>4</Level>
  <Task>2</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2012-02-15T00:41:29.000000000Z" />
  <EventRecordID>4929</EventRecordID>
  <Channel>Application</Channel>
  <Computer>Server.Domain.com</Computer>
  <Security />
  </System>
- <EventData>
  <Data>[Microsoft.SystemCenter.Orchestrator.Maintenance].[MaintenanceWorker]</Data>
  <Data>SCE2012_Orchestrator.Microsoft.SystemCenter.Orchestrator.Maintenance.MaintenanceServiceQueue</Data>
  <Data>Could not obtain information about Windows NT group/user 'DOMAIN\SMSadmin', error code 0x5.</Data>
  <Binary>FC2500000A0000000A00000043004C0049004E00410044004D0049004E0000001500000053004300450032003000310032005F004F007200630068006500730074007200610074006F0072000000</Binary>
  </EventData>
  </Event>
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now