Solved

Troubleshooting logon failure

Posted on 2010-09-23
7
3,166 Views
Last Modified: 2013-12-04
I am trying to troubleshoot a logon failure we are receiving (DC running Windows 2008 R2). This weekend we started getting the following message:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          09/23/2010 11:16:06 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      mydomaincontroller.domain.com
Description:
An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            JohnDoe
      Account Domain:            HLC

Failure Information:
      Failure Reason:            An Error occured during Logon.
      Status:                  0xc00002ee
      Sub Status:            0x0

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      -
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            Kerberos
      Authentication Package:      Kerberos
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

I've tried capturing packets with Wireshark to see if I can see what's generating the traffic but haven't had any luck. Based on the fact that the "Network Information" is blank I'm thinking that this is some local process on the server that's causing the issue. I've looked at services but the user is only on a couple of services and they're running fine.

Can anyone give me some tips on what else I can do to troubleshoot this issue? I'm out of ideas.

At this point I'd make this question worth 1000 pts if I could. :)

Thanks.
0
Comment
Question by:snowmizer
7 Comments
 
LVL 5

Expert Comment

by:epochasset
ID: 33746998
Heres a common one.  Check all domain computers for any disconnected (but still present) RDP sessions.  They can cause these types of events to show up on the controllers.
0
 
LVL 7

Expert Comment

by:JohnThePro
ID: 33747006
Can you tell me if anything shows up in the Application event log?
Also, in the System event log?

Look for events that happened within a couple minutes of this particular error.
0
 

Author Comment

by:snowmizer
ID: 33747411
I looked at the RDP sessions but didn't see anything and there isn't an event in the Application or System event logs that matches this event.

Is it possible that some process is still running that shouldn't be where a reboot might fix the problem? We have a log management agent running on every server. Yesterday we noticed that some of the servers stopped forwarding logs to the central log management server. We figured out that if we restarted the agent on the servers the log data would start forwarding again. I've tried that on this server but that didn't resolve the logon message. We also applied Windows updates this weekend. Maybe something is messed up and needs to be cleared out?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 7

Expert Comment

by:JohnThePro
ID: 33757789
What account is it? Is it ACTUALLY JohnDoe or is it some account that you made for automating something?

If you have an account that you created solely for running a service/application, it could be that the password on that particular account has expired.
0
 

Author Comment

by:snowmizer
ID: 33822257
The account is an account we created for running services. It's used on all of our servers yet this one was the only one reporting the error. We ended up rebooting the server and so far this message has gone away. If it happens again I'll post on this question and let you guys know.

Thanks for all of the suggestions.
0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 34171281
Question PAQ'd and stored in the solution database.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question