• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3707
  • Last Modified:

Troubleshooting logon failure

I am trying to troubleshoot a logon failure we are receiving (DC running Windows 2008 R2). This weekend we started getting the following message:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          09/23/2010 11:16:06 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      mydomaincontroller.domain.com
An account failed to log on.

      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            JohnDoe
      Account Domain:            HLC

Failure Information:
      Failure Reason:            An Error occured during Logon.
      Status:                  0xc00002ee
      Sub Status:            0x0

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      -
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            Kerberos
      Authentication Package:      Kerberos
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

I've tried capturing packets with Wireshark to see if I can see what's generating the traffic but haven't had any luck. Based on the fact that the "Network Information" is blank I'm thinking that this is some local process on the server that's causing the issue. I've looked at services but the user is only on a couple of services and they're running fine.

Can anyone give me some tips on what else I can do to troubleshoot this issue? I'm out of ideas.

At this point I'd make this question worth 1000 pts if I could. :)

1 Solution
Heres a common one.  Check all domain computers for any disconnected (but still present) RDP sessions.  They can cause these types of events to show up on the controllers.
John JenningsOwnerCommented:
Can you tell me if anything shows up in the Application event log?
Also, in the System event log?

Look for events that happened within a couple minutes of this particular error.
snowmizerAuthor Commented:
I looked at the RDP sessions but didn't see anything and there isn't an event in the Application or System event logs that matches this event.

Is it possible that some process is still running that shouldn't be where a reboot might fix the problem? We have a log management agent running on every server. Yesterday we noticed that some of the servers stopped forwarding logs to the central log management server. We figured out that if we restarted the agent on the servers the log data would start forwarding again. I've tried that on this server but that didn't resolve the logon message. We also applied Windows updates this weekend. Maybe something is messed up and needs to be cleared out?
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

John JenningsOwnerCommented:
What account is it? Is it ACTUALLY JohnDoe or is it some account that you made for automating something?

If you have an account that you created solely for running a service/application, it could be that the password on that particular account has expired.
snowmizerAuthor Commented:
The account is an account we created for running services. It's used on all of our servers yet this one was the only one reporting the error. We ended up rebooting the server and so far this message has gone away. If it happens again I'll post on this question and let you guys know.

Thanks for all of the suggestions.
Question PAQ'd and stored in the solution database.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now