BigZWillis
asked on
Failure Audit for Logon Process Advapi
I have a mixed Server 2003 and Server 2008 environment across 4 offices. Every 15 minutes on my main domain controller (Server 2003) I am getting a Failure Audit, eventID 529, that reads something like this (words in capitals have been changed to generic):
Logon Failure:
Reason: Unknown user name or bad password
User Name: DOMAIN ADMIN
Domain: DOMAIN
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: 2003 DOMAIN CONTROLLER
Caller User Name: 2003 DOMAIN CONTROLLER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 572
Transited Services: -
Source Network Address: OLD EXCHANGE SERVER / ANTI VIRUS SERVER
Source Port: 4063 - PORT ALWAYS CHANGES
I also see this error on the other domain controllers (all 2008 machines), though not nearly as often, maybe once a day. However, they read a little different. Something like this:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: 2008 DOMAIN CONTROLLER$
Account Domain: DOMAIN
Logon ID: 0x3e7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: DOMAIN ADMIN
Account Domain: DOMAIN
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x298
Caller Process Name: C:\Windows\System32\lsass.
Network Information:
Workstation Name: 2008 DOMAIN CONTROLLER
Source Network Address: OLD EXCHANGE SERVER / ANTI VIRUS SERVER
Source Port: 4110
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
The source is IP is always the OLD EXCHANGE SERVER / ANTI VIRUS SERVER (but the workstation name is always the DC). All exchange services on that box are disabled and no longer in use including SMTP. The anti virus processes are all using the local service account. I've looked through all the services on the OLD EXCHANGE SERVER / ANTI VIRUS SERVER and none are using the DOMAIN ADMIN account.
Any idea what could be causing these errors? The OLD EXCHANGE SERVER / ANTI VIRUS SERVER is in the same office as the 2003 DOMAIN CONTROLLER and that is the only server it gets logged every 15 minutes on the dot. I've searched Google for these errors but nothing really seems to apply to my situation. No services seem to be causing it, the IIS settings look correct, and I'm running out of things to look for. Any help would be appreciated. Thanks.
Logon Failure:
Reason: Unknown user name or bad password
User Name: DOMAIN ADMIN
Domain: DOMAIN
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: 2003 DOMAIN CONTROLLER
Caller User Name: 2003 DOMAIN CONTROLLER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 572
Transited Services: -
Source Network Address: OLD EXCHANGE SERVER / ANTI VIRUS SERVER
Source Port: 4063 - PORT ALWAYS CHANGES
I also see this error on the other domain controllers (all 2008 machines), though not nearly as often, maybe once a day. However, they read a little different. Something like this:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: 2008 DOMAIN CONTROLLER$
Account Domain: DOMAIN
Logon ID: 0x3e7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: DOMAIN ADMIN
Account Domain: DOMAIN
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x298
Caller Process Name: C:\Windows\System32\lsass.
Network Information:
Workstation Name: 2008 DOMAIN CONTROLLER
Source Network Address: OLD EXCHANGE SERVER / ANTI VIRUS SERVER
Source Port: 4110
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
The source is IP is always the OLD EXCHANGE SERVER / ANTI VIRUS SERVER (but the workstation name is always the DC). All exchange services on that box are disabled and no longer in use including SMTP. The anti virus processes are all using the local service account. I've looked through all the services on the OLD EXCHANGE SERVER / ANTI VIRUS SERVER and none are using the DOMAIN ADMIN account.
Any idea what could be causing these errors? The OLD EXCHANGE SERVER / ANTI VIRUS SERVER is in the same office as the 2003 DOMAIN CONTROLLER and that is the only server it gets logged every 15 minutes on the dot. I've searched Google for these errors but nothing really seems to apply to my situation. No services seem to be causing it, the IIS settings look correct, and I'm running out of things to look for. Any help would be appreciated. Thanks.
ASKER
Thanks for the reply... Unfortunantly that doesn't seem to be my situation. I have looked at the logs on the old Exchange server and nothing seems to match up. In addition all Exchange services on the server are no longer running. Exchange has been moved to a hosted solution... This server is basically just an anti virus server at this point. Thanks.
ASKER
I turned on some more auditing and found another error to go along with the first, this happens every 15 minutes as well. There are about 20 of these logged at once every 15 minutes. They go something like this (Event ID 675)
Pre-authentication failed:
User Name: DOMAIN ADMIN
User ID: DOMAIN\DOMAIN ADMIN
Service Name: krbtgt/DOMAIN
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: OLD EXCHANGE SERVER / ANTI VIRUS SERVER
Does that help?
Pre-authentication failed:
User Name: DOMAIN ADMIN
User ID: DOMAIN\DOMAIN ADMIN
Service Name: krbtgt/DOMAIN
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: OLD EXCHANGE SERVER / ANTI VIRUS SERVER
Does that help?
It must be a service or a scheduled task that's running on a regular basis which is trying to use out of date credentials.
What is "krbtgt"? Is that the name of a service or system?
What is "krbtgt"? Is that the name of a service or system?
ASKER
It's the Key distribution service center account. I've checked all services and tasks... That was my first thought. There isn't a single service running on OLD EXCHANGE SERVER / ANTI VIRUS SERVER that isn't using either the local system or network service account. And the only scheduled task is a daily backup that is not have issues. There also are no services on the sever set to run as the domain admin, so that is why I'm having issues tracking it down...
ASKER
Anyone?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It worked
Recently, we found a similar series of errors when a user was having issues with getting locked out a lot. I found those events on one of our domain controllers, but our messages mentioned our production exchange server. When I checked for a similar error on the exchange server at the same time stamp, I found a series of "failure audit" and "success audit" messages that gave me the name of the system from which the bad password attempt was originating.
In another case, it only gave me the IP address, but using that information we were able to figure that the user had configured an Outlook profile on that PC before he had changed his password. It wasn't a computer he used anymore, so his account was getting locked out every time Outlook tried to connet using that other PC because it had a bad password. The local IT staff resolved the problem by removing his Outlook profile from that PC.
I hope this helps.
Alicia