Solved

Troubleshooting logon failure

Posted on 2010-09-23
7
3,371 Views
Last Modified: 2013-12-04
I am trying to troubleshoot a logon failure we are receiving (DC running Windows 2008 R2). This weekend we started getting the following message:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          09/23/2010 11:16:06 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      mydomaincontroller.domain.com
Description:
An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            JohnDoe
      Account Domain:            HLC

Failure Information:
      Failure Reason:            An Error occured during Logon.
      Status:                  0xc00002ee
      Sub Status:            0x0

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      -
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            Kerberos
      Authentication Package:      Kerberos
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

I've tried capturing packets with Wireshark to see if I can see what's generating the traffic but haven't had any luck. Based on the fact that the "Network Information" is blank I'm thinking that this is some local process on the server that's causing the issue. I've looked at services but the user is only on a couple of services and they're running fine.

Can anyone give me some tips on what else I can do to troubleshoot this issue? I'm out of ideas.

At this point I'd make this question worth 1000 pts if I could. :)

Thanks.
0
Comment
Question by:snowmizer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 5

Expert Comment

by:epochasset
ID: 33746998
Heres a common one.  Check all domain computers for any disconnected (but still present) RDP sessions.  They can cause these types of events to show up on the controllers.
0
 
LVL 7

Expert Comment

by:John Jennings
ID: 33747006
Can you tell me if anything shows up in the Application event log?
Also, in the System event log?

Look for events that happened within a couple minutes of this particular error.
0
 

Author Comment

by:snowmizer
ID: 33747411
I looked at the RDP sessions but didn't see anything and there isn't an event in the Application or System event logs that matches this event.

Is it possible that some process is still running that shouldn't be where a reboot might fix the problem? We have a log management agent running on every server. Yesterday we noticed that some of the servers stopped forwarding logs to the central log management server. We figured out that if we restarted the agent on the servers the log data would start forwarding again. I've tried that on this server but that didn't resolve the logon message. We also applied Windows updates this weekend. Maybe something is messed up and needs to be cleared out?
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 7

Expert Comment

by:John Jennings
ID: 33757789
What account is it? Is it ACTUALLY JohnDoe or is it some account that you made for automating something?

If you have an account that you created solely for running a service/application, it could be that the password on that particular account has expired.
0
 

Author Comment

by:snowmizer
ID: 33822257
The account is an account we created for running services. It's used on all of our servers yet this one was the only one reporting the error. We ended up rebooting the server and so far this message has gone away. If it happens again I'll post on this question and let you guys know.

Thanks for all of the suggestions.
0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 34171281
Question PAQ'd and stored in the solution database.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question