Event 4625, Microsoft Windows Security Auditing
I have a Windows Server 2008 R2 set up as a Hyper-V server. The server is a member of the domain running on the hosted virtual servers, but does only use local administrator to log on.
After changing the password on the local administrator account it has started generating about 10.000 audit failure events 4625 every day.
No servers or Workstations are using any resoures on this host server. There are no local services that uses the local administrator to logon.
The Network information in the error message is blank, so I am not able to figure out where it is comming from. Network logon type (3), but no source name or address.
Any suggestions as to what can be the cause of all these error Messages?
Thanks
______________________
The error message is:
An account failed to log on
Subject:
-Security ID: NULL SID
-Account name:
-Account Domain:
-Logon ID: 0x0
Logon Type: 3
Account for which Logon Failed:
-Security ID: NULL SID
-Account Name: * local administrator*
-Account Domain: *local host name*
Failure Information:
-Failure Reason: Unknown user name or bad password
-Status: 0xc000006d
-Sub Status: 0xc000006a
Process Information:
-Caller Process ID: 0x0
-Caller Process Name:
Network Information:
-Workstation name:
-Source Network Address:
-Source Port:
Detailed Authentication Information:
-Logon Process: NtLmSsp
-Authentication Package: NTML
-Transited Services:
-Package name (NTML only):
Key Lenght: 0
After changing the password on the local administrator account it has started generating about 10.000 audit failure events 4625 every day.
No servers or Workstations are using any resoures on this host server. There are no local services that uses the local administrator to logon.
The Network information in the error message is blank, so I am not able to figure out where it is comming from. Network logon type (3), but no source name or address.
Any suggestions as to what can be the cause of all these error Messages?
Thanks
______________________
The error message is:
An account failed to log on
Subject:
-Security ID: NULL SID
-Account name:
-Account Domain:
-Logon ID: 0x0
Logon Type: 3
Account for which Logon Failed:
-Security ID: NULL SID
-Account Name: * local administrator*
-Account Domain: *local host name*
Failure Information:
-Failure Reason: Unknown user name or bad password
-Status: 0xc000006d
-Sub Status: 0xc000006a
Process Information:
-Caller Process ID: 0x0
-Caller Process Name:
Network Information:
-Workstation name:
-Source Network Address:
-Source Port:
Detailed Authentication Information:
-Logon Process: NtLmSsp
-Authentication Package: NTML
-Transited Services:
-Package name (NTML only):
Key Lenght: 0
Suspecting any network shared folder or services like iis installed locally or service/program attempting to access the server. All these required such admin account to run - from any other network component...change of password will likely invalidate any attempts in network (type=3) using previously entered password invalid login. Good to check and see if any programs have been installed on the server on or around the date the errors first started appearing.
Note that logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. Some shared to set DisableLoopbackCheck for iis instance
We will also want to check out for te Event ID 4740. This the event that is generated when an account is locked out. There is a property called "Caller Computer Name" which should identify the computer that the lockout originated from.
Also to deep dive if need be, pse see below
Note that logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. Some shared to set DisableLoopbackCheck for iis instance
We will also want to check out for te Event ID 4740. This the event that is generated when an account is locked out. There is a property called "Caller Computer Name" which should identify the computer that the lockout originated from.
Also to deep dive if need be, pse see below
Turn on Netlogon Debugging:
nltest /dbflag:0x2080ffff
Net Stop Netlogon
Net Start NetLogon
after you restart Net Logon, Net Logon-related activity will be logged to %windir%\debug\netlogon.log
Note: Nltest is included as part of Windows Server 2008 and is also available as part of the Support Tools packages on the installation media for Windows Server 2003
After debugging, you can run nltest /dbflag:0x0 command from a command prompt to reset the debug flag to 0.
Net Stop Netlogon
Net Start Netlogon
Sorry about the late response.
We have no event 4740, but I've done the DisableLoopbackCheck which hopefully will do the trick once I get to restart the server.
If that doesn't work I'll try the Netlogon Debugging.
Will post again when we see the result from the restart.
Thanks
We have no event 4740, but I've done the DisableLoopbackCheck which hopefully will do the trick once I get to restart the server.
If that doesn't work I'll try the Netlogon Debugging.
Will post again when we see the result from the restart.
Thanks
Also other prognosis in public shared below
a) Windows Workgroup logons, printer and file sharing may be common source of such issue. All PC's connected to the "Home network" will try and logon to each other for their respective WorkGroup. In some cases they will need accounts and passwords setup on each machine.
b) Quality of Service XML transactions that can go on backwards and forwards between your PC/Server and the router. Plug and play can attempt to "install" your router and there are various network exploration network management exploration tools that can pass data around. If traces can be delved into and realised machine and router have a never ending conversation about QoS and getting nowhere fast, we may just uninstalled the QoS protocol from the Network Adapter.
c) some say may be related to schannel errors that are very difficult to pinpoint and once you get them, about the only solution is to reinstall. However, they do not seem to be harmful. One live with it and rebuild the server.
d) turned off ports 80, 443, and 4125 on router and observed the 4625 events occurrences.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c6b0d058-98d0-4572-8a72-e18e353b04fd/numerous-4625-errors-in-the-event-log?forum=winserversecurity
a) Windows Workgroup logons, printer and file sharing may be common source of such issue. All PC's connected to the "Home network" will try and logon to each other for their respective WorkGroup. In some cases they will need accounts and passwords setup on each machine.
b) Quality of Service XML transactions that can go on backwards and forwards between your PC/Server and the router. Plug and play can attempt to "install" your router and there are various network exploration network management exploration tools that can pass data around. If traces can be delved into and realised machine and router have a never ending conversation about QoS and getting nowhere fast, we may just uninstalled the QoS protocol from the Network Adapter.
c) some say may be related to schannel errors that are very difficult to pinpoint and once you get them, about the only solution is to reinstall. However, they do not seem to be harmful. One live with it and rebuild the server.
d) turned off ports 80, 443, and 4125 on router and observed the 4625 events occurrences.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c6b0d058-98d0-4572-8a72-e18e353b04fd/numerous-4625-errors-in-the-event-log?forum=winserversecurity
DisableLoopbackCheck did not solve the problem. However, it turns out I should have specified that this was a HP Proliant Server.
The Audit Failure events was caused by HP SIM, as it stores the password used during installation.
I opened an administrative command prompt and ran 'mxpassword -g' to change it.
(http://h18013.www1.hp.com/products/servers/management/hpsim/info-library5/mxpassword.1m.html)
This solved the Audit Failure problem, but at the same time caused a new problem that I still haven't solved.
The services 'Pegasus WMI Wrapper' and 'OpenSSH server' will not start due to authentication errors.
I'll do some more troubleshooting and either post the solution here (I will be very happy for any tips as well), or post a new ticket in the HP section.
The Audit Failure events was caused by HP SIM, as it stores the password used during installation.
I opened an administrative command prompt and ran 'mxpassword -g' to change it.
(http://h18013.www1.hp.com/products/servers/management/hpsim/info-library5/mxpassword.1m.html)
This solved the Audit Failure problem, but at the same time caused a new problem that I still haven't solved.
The services 'Pegasus WMI Wrapper' and 'OpenSSH server' will not start due to authentication errors.
I'll do some more troubleshooting and either post the solution here (I will be very happy for any tips as well), or post a new ticket in the HP section.
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Join our community and discover your potential
Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.
*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.