A little weird one here - I'm troubleshooting some IIS issues across a few servers and sites. Essentially, I have a PBX system that uses Windows servers at each location. When I am on the management web page, and I drill down to a specific remote site server (to check it's status) we get a permissions error.
Now, how the PBX system works is fairly specific, and isn't necessarily the issue. So, looking into the http logs on the remote server, i see a bunch I get a large number of AppPool errors:
On the HQ server, I get numerous Audit failures in the audit log:
Log Name: SecuritySource: Microsoft-Windows-Security-AuditingDate: 12/27/2012 9:52:58 AMEvent ID: 4625Task Category: LogonLevel: InformationKeywords: Audit FailureUser: N/AComputer: petntsps.domain.localDescription:An account failed to log on.Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0Logon Type: 3Account For Which Logon Failed: Security ID: NULL SID Account Name: FRENTSPS$ Account Domain: domainFailure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006aProcess Information: Caller Process ID: 0x0 Caller Process Name: -Network Information: Workstation Name: FRENTSPS Source Network Address: 192.168.81.30 Source Port: 55676Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0This event is generated when a logon request fails. It is generated on the computer where access was attempted.The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).The Process Information fields indicate which account and process on the system requested the logon.The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4625</EventID> <Version>0</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2012-12-27T17:52:58.176111900Z" /> <EventRecordID>4888159</EventRecordID> <Correlation /> <Execution ProcessID="524" ThreadID="202484" /> <Channel>Security</Channel> <Computer>petntsps.domain.local</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-0-0</Data> <Data Name="SubjectUserName">-</Data> <Data Name="SubjectDomainName">-</Data> <Data Name="SubjectLogonId">0x0</Data> <Data Name="TargetUserSid">S-1-0-0</Data> <Data Name="TargetUserName">FRENTSPS$</Data> <Data Name="TargetDomainName">domain</Data> <Data Name="Status">0xc000006d</Data> <Data Name="FailureReason">%%2313</Data> <Data Name="SubStatus">0xc000006a</Data> <Data Name="LogonType">3</Data> <Data Name="LogonProcessName">NtLmSsp </Data> <Data Name="AuthenticationPackageName">NTLM</Data> <Data Name="WorkstationName">FRENTSPS</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x0</Data> <Data Name="ProcessName">-</Data> <Data Name="IpAddress">192.168.81.30</Data> <Data Name="IpPort">55676</Data> </EventData></Event>