Link to home
Start Free TrialLog in
Avatar of revo1059
revo1059Flag for United States of America

asked on

CRM and domain audit log

We are seeing hundreds/thousands of log entries identical to the one below, between 5-7 a second

The computer attempted to validate the credentials for an account.

Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:      (the crm admin user)
Source Workstation:      (crm server)
Error Code:      0x0e

it says below each time Audit Success.

If I shutdown the CRM email then the entries stop.

What would cause it to do that and is is normal? I had 610,000 events in the log before I cleared it. I clear it and the entries start piling up again. I rebooted the CRM server and it started backup and the entries started again.
Avatar of Chinmay Patel
Chinmay Patel
Flag of India image

Hi Revo1059,

Are you sure the error code we are getting is: 0x0e

Have you expanded the error details? is there any other information available.

Regards,
Chinmay.
Avatar of revo1059

ASKER

Its a copy/paste so thats exactly what the error code is. Since it says audit successful there doesn't appear to me much more info.
Alright. In Audit log, when you see this entries, there are two tabs. One is general and other is Details. In Details you have an option to select XML View. Please post what do you see in the details. I do not think there is something wrong with these entries I just want to verify if we have something else going on. For a normal desktop, it can reach to 6 to 7 thousand (even more in a corporate environment) in a month so I am sure for a server this number is going to be high. If Email router is the root cause then we may have to check on email router's end.
Is there anything suspicious going on with email router logs?
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
  <EventID>4776</EventID>
  <Version>0</Version>
  <Level>0</Level>
  <Task>14336</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8020000000000000</Keywords>
  <TimeCreated SystemTime="2018-01-16T14:45:45.902140700Z" />
  <EventRecordID>386284080</EventRecordID>
  <Correlation />
  <Execution ProcessID="572" ThreadID="2228" />
  <Channel>Security</Channel>
  <Computer>(company computer)</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
  <Data Name="TargetUserName">crmadmin</Data>
  <Data Name="Workstation">CRM-SRV-2K8R2</Data>
  <Data Name="Status">0x0</Data>
  </EventData>
  </Event>
So this is a normal event log entry, you can find more details here:

https://docs.microsoft.com/en-us/windows/device-security/auditing/event-4776
Are you using a single box setup? i.e. domain controller and everything installed on a single machine?
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.