Solved

Troubleshooting logon failure

Posted on 2010-09-23
7
3,282 Views
Last Modified: 2013-12-04
I am trying to troubleshoot a logon failure we are receiving (DC running Windows 2008 R2). This weekend we started getting the following message:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          09/23/2010 11:16:06 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      mydomaincontroller.domain.com
Description:
An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            JohnDoe
      Account Domain:            HLC

Failure Information:
      Failure Reason:            An Error occured during Logon.
      Status:                  0xc00002ee
      Sub Status:            0x0

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      -
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            Kerberos
      Authentication Package:      Kerberos
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

I've tried capturing packets with Wireshark to see if I can see what's generating the traffic but haven't had any luck. Based on the fact that the "Network Information" is blank I'm thinking that this is some local process on the server that's causing the issue. I've looked at services but the user is only on a couple of services and they're running fine.

Can anyone give me some tips on what else I can do to troubleshoot this issue? I'm out of ideas.

At this point I'd make this question worth 1000 pts if I could. :)

Thanks.
0
Comment
Question by:snowmizer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 5

Expert Comment

by:epochasset
ID: 33746998
Heres a common one.  Check all domain computers for any disconnected (but still present) RDP sessions.  They can cause these types of events to show up on the controllers.
0
 
LVL 7

Expert Comment

by:John Jennings
ID: 33747006
Can you tell me if anything shows up in the Application event log?
Also, in the System event log?

Look for events that happened within a couple minutes of this particular error.
0
 

Author Comment

by:snowmizer
ID: 33747411
I looked at the RDP sessions but didn't see anything and there isn't an event in the Application or System event logs that matches this event.

Is it possible that some process is still running that shouldn't be where a reboot might fix the problem? We have a log management agent running on every server. Yesterday we noticed that some of the servers stopped forwarding logs to the central log management server. We figured out that if we restarted the agent on the servers the log data would start forwarding again. I've tried that on this server but that didn't resolve the logon message. We also applied Windows updates this weekend. Maybe something is messed up and needs to be cleared out?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 7

Expert Comment

by:John Jennings
ID: 33757789
What account is it? Is it ACTUALLY JohnDoe or is it some account that you made for automating something?

If you have an account that you created solely for running a service/application, it could be that the password on that particular account has expired.
0
 

Author Comment

by:snowmizer
ID: 33822257
The account is an account we created for running services. It's used on all of our servers yet this one was the only one reporting the error. We ended up rebooting the server and so far this message has gone away. If it happens again I'll post on this question and let you guys know.

Thanks for all of the suggestions.
0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 34171281
Question PAQ'd and stored in the solution database.
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question