Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Troubleshooting logon failure

Posted on 2010-09-23
7
Medium Priority
?
3,553 Views
Last Modified: 2013-12-04
I am trying to troubleshoot a logon failure we are receiving (DC running Windows 2008 R2). This weekend we started getting the following message:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          09/23/2010 11:16:06 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      mydomaincontroller.domain.com
Description:
An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            JohnDoe
      Account Domain:            HLC

Failure Information:
      Failure Reason:            An Error occured during Logon.
      Status:                  0xc00002ee
      Sub Status:            0x0

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      -
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            Kerberos
      Authentication Package:      Kerberos
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

I've tried capturing packets with Wireshark to see if I can see what's generating the traffic but haven't had any luck. Based on the fact that the "Network Information" is blank I'm thinking that this is some local process on the server that's causing the issue. I've looked at services but the user is only on a couple of services and they're running fine.

Can anyone give me some tips on what else I can do to troubleshoot this issue? I'm out of ideas.

At this point I'd make this question worth 1000 pts if I could. :)

Thanks.
0
Comment
Question by:snowmizer
7 Comments
 
LVL 5

Expert Comment

by:epochasset
ID: 33746998
Heres a common one.  Check all domain computers for any disconnected (but still present) RDP sessions.  They can cause these types of events to show up on the controllers.
0
 
LVL 7

Expert Comment

by:John Jennings
ID: 33747006
Can you tell me if anything shows up in the Application event log?
Also, in the System event log?

Look for events that happened within a couple minutes of this particular error.
0
 

Author Comment

by:snowmizer
ID: 33747411
I looked at the RDP sessions but didn't see anything and there isn't an event in the Application or System event logs that matches this event.

Is it possible that some process is still running that shouldn't be where a reboot might fix the problem? We have a log management agent running on every server. Yesterday we noticed that some of the servers stopped forwarding logs to the central log management server. We figured out that if we restarted the agent on the servers the log data would start forwarding again. I've tried that on this server but that didn't resolve the logon message. We also applied Windows updates this weekend. Maybe something is messed up and needs to be cleared out?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Expert Comment

by:John Jennings
ID: 33757789
What account is it? Is it ACTUALLY JohnDoe or is it some account that you made for automating something?

If you have an account that you created solely for running a service/application, it could be that the password on that particular account has expired.
0
 

Author Comment

by:snowmizer
ID: 33822257
The account is an account we created for running services. It's used on all of our servers yet this one was the only one reporting the error. We ended up rebooting the server and so far this message has gone away. If it happens again I'll post on this question and let you guys know.

Thanks for all of the suggestions.
0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 34171281
Question PAQ'd and stored in the solution database.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Integration Management Part 2

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question