asked on
Event 4625, Microsoft Windows Security Auditing
I have a Windows Server 2008 R2 set up as a Hyper-V server. The server is a member of the domain running on the hosted virtual servers, but does only use local administrator to log on.
After changing the password on the local administrator account it has started generating about 10.000 audit failure events 4625 every day.
No servers or Workstations are using any resoures on this host server. There are no local services that uses the local administrator to logon.
The Network information in the error message is blank, so I am not able to figure out where it is comming from. Network logon type (3), but no source name or address.
Any suggestions as to what can be the cause of all these error Messages?
Thanks
______________________
The error message is:
An account failed to log on
Subject:
-Security ID: NULL SID
-Account name:
-Account Domain:
-Logon ID: 0x0
Logon Type: 3
Account for which Logon Failed:
-Security ID: NULL SID
-Account Name: * local administrator*
-Account Domain: *local host name*
Failure Information:
-Failure Reason: Unknown user name or bad password
-Status: 0xc000006d
-Sub Status: 0xc000006a
Process Information:
-Caller Process ID: 0x0
-Caller Process Name:
Network Information:
-Workstation name:
-Source Network Address:
-Source Port:
Detailed Authentication Information:
-Logon Process: NtLmSsp
-Authentication Package: NTML
-Transited Services:
-Package name (NTML only):
Key Lenght: 0
After changing the password on the local administrator account it has started generating about 10.000 audit failure events 4625 every day.
No servers or Workstations are using any resoures on this host server. There are no local services that uses the local administrator to logon.
The Network information in the error message is blank, so I am not able to figure out where it is comming from. Network logon type (3), but no source name or address.
Any suggestions as to what can be the cause of all these error Messages?
Thanks
______________________
The error message is:
An account failed to log on
Subject:
-Security ID: NULL SID
-Account name:
-Account Domain:
-Logon ID: 0x0
Logon Type: 3
Account for which Logon Failed:
-Security ID: NULL SID
-Account Name: * local administrator*
-Account Domain: *local host name*
Failure Information:
-Failure Reason: Unknown user name or bad password
-Status: 0xc000006d
-Sub Status: 0xc000006a
Process Information:
-Caller Process ID: 0x0
-Caller Process Name:
Network Information:
-Workstation name:
-Source Network Address:
-Source Port:
Detailed Authentication Information:
-Logon Process: NtLmSsp
-Authentication Package: NTML
-Transited Services:
-Package name (NTML only):
Key Lenght: 0
Windows Server 2008OS SecurityNetwork Security
Last Comment
btan
ASKER
Sorry about the late response.
We have no event 4740, but I've done the DisableLoopbackCheck which hopefully will do the trick once I get to restart the server.
If that doesn't work I'll try the Netlogon Debugging.
Will post again when we see the result from the restart.
Thanks
We have no event 4740, but I've done the DisableLoopbackCheck which hopefully will do the trick once I get to restart the server.
If that doesn't work I'll try the Netlogon Debugging.
Will post again when we see the result from the restart.
Thanks
Also other prognosis in public shared below
a) Windows Workgroup logons, printer and file sharing may be common source of such issue. All PC's connected to the "Home network" will try and logon to each other for their respective WorkGroup. In some cases they will need accounts and passwords setup on each machine.
b) Quality of Service XML transactions that can go on backwards and forwards between your PC/Server and the router. Plug and play can attempt to "install" your router and there are various network exploration network management exploration tools that can pass data around. If traces can be delved into and realised machine and router have a never ending conversation about QoS and getting nowhere fast, we may just uninstalled the QoS protocol from the Network Adapter.
c) some say may be related to schannel errors that are very difficult to pinpoint and once you get them, about the only solution is to reinstall. However, they do not seem to be harmful. One live with it and rebuild the server.
d) turned off ports 80, 443, and 4125 on router and observed the 4625 events occurrences.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c6b0d058-98d0-4572-8a72-e18e353b04fd/numerous-4625-errors-in-the-event-log?forum=winserversecurity
a) Windows Workgroup logons, printer and file sharing may be common source of such issue. All PC's connected to the "Home network" will try and logon to each other for their respective WorkGroup. In some cases they will need accounts and passwords setup on each machine.
b) Quality of Service XML transactions that can go on backwards and forwards between your PC/Server and the router. Plug and play can attempt to "install" your router and there are various network exploration network management exploration tools that can pass data around. If traces can be delved into and realised machine and router have a never ending conversation about QoS and getting nowhere fast, we may just uninstalled the QoS protocol from the Network Adapter.
c) some say may be related to schannel errors that are very difficult to pinpoint and once you get them, about the only solution is to reinstall. However, they do not seem to be harmful. One live with it and rebuild the server.
d) turned off ports 80, 443, and 4125 on router and observed the 4625 events occurrences.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c6b0d058-98d0-4572-8a72-e18e353b04fd/numerous-4625-errors-in-the-event-log?forum=winserversecurity
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
DisableLoopbackCheck did not solve the problem. However, it turns out I should have specified that this was a HP Proliant Server.
The Audit Failure events was caused by HP SIM, as it stores the password used during installation.
I opened an administrative command prompt and ran 'mxpassword -g' to change it.
(http://h18013.www1.hp.com/products/servers/management/hpsim/info-library5/mxpassword.1m.html)
This solved the Audit Failure problem, but at the same time caused a new problem that I still haven't solved.
The services 'Pegasus WMI Wrapper' and 'OpenSSH server' will not start due to authentication errors.
I'll do some more troubleshooting and either post the solution here (I will be very happy for any tips as well), or post a new ticket in the HP section.
The Audit Failure events was caused by HP SIM, as it stores the password used during installation.
I opened an administrative command prompt and ran 'mxpassword -g' to change it.
(http://h18013.www1.hp.com/products/servers/management/hpsim/info-library5/mxpassword.1m.html)
This solved the Audit Failure problem, but at the same time caused a new problem that I still haven't solved.
The services 'Pegasus WMI Wrapper' and 'OpenSSH server' will not start due to authentication errors.
I'll do some more troubleshooting and either post the solution here (I will be very happy for any tips as well), or post a new ticket in the HP section.
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Note that logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. Some shared to set DisableLoopbackCheck for iis instance
We will also want to check out for te Event ID 4740. This the event that is generated when an account is locked out. There is a property called "Caller Computer Name" which should identify the computer that the lockout originated from.
Also to deep dive if need be, pse see below