System Account Logon Failures every 30 seconds

4

We have two Windows 2008 R2 SP1 servers running in a SQL failover cluster. On one of them we are getting the following events in the security log every 30 seconds. The parts that are blank are actually blank. Has anyone seen similar issues, or assist in tracking down the cause of these events? No other event logs show anything relevant that I can tell.

 Log Name:      Security
 Source:        Microsoft-Windows-Security-Auditing
 Date:          10/17/2012 10:02:04 PM
 Event ID:      4625
 Task Category: Logon
 Level:         Information
 Keywords:      Audit Failure
 User:          N/A
 Computer:      SERVERNAME.domainname.local
 Description:
 An account failed to log on.

 Subject:
 Security ID:       SYSTEM
 Account Name:      SERVERNAME$
 Account Domain:        DOMAINNAME
 Logon ID:      0x3e7

 Logon Type:            3

 Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       
    Account Domain:     

 Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc0000064

 Process Information:
     Caller Process ID: 0x238
     Caller Process Name:   C:\Windows\System32\lsass.exe

 Network Information:
     Workstation Name:  SERVERNAME
     Source Network Address:    -
     Source Port:       -

 Detailed Authentication Information:
     Logon Process:     Schannel
     Authentication Package:    Kerberos
     Transited Services:    -
     Package Name (NTLM only):  -
     Key Length:        0

Second event which follows every one of the above events

 Log Name:      Security
 Source:        Microsoft-Windows-Security-Auditing
 Date:          10/17/2012 10:02:04 PM
 Event ID:      4625
 Task Category: Logon
 Level:         Information
 Keywords:      Audit Failure
 User:          N/A
 Computer:      SERVERNAME.domainname.local
 Description:
 An account failed to log on.

 Subject:
     Security ID:       NULL SID
     Account Name:      -
     Account Domain:        -
     Logon ID:      0x0

 Logon Type:            3

 Account For Which Logon Failed:
     Security ID:       NULL SID
     Account Name:      
     Account Domain:        

  Failure Information:
     Failure Reason:        An Error occured during Logon.
     Status:            0xc000006d
     Sub Status:        0x80090325

 Process Information:
      Caller Process ID:    0x0
      Caller Process Name:  -

 Network Information:
     Workstation Name:  -
     Source Network Address:    -
     Source Port:       -

 Detailed Authentication Information:
     Logon Process:     Schannel
     Authentication Package:    Microsoft Unified Security Protocol Provider
     Transited Services:    -
     Package Name (NTLM only):  -
     Key Length:        0

EDIT UPDATE: I have a bit more information to add. I installed Network Monitor on this machine and did a filter for Kerberos traffic and found the following which corresponds to the timestamps in the security audit log.

A Kerberos AS_Request Cname: CN=SQLInstanceName Realm:domain.local Sname krbtgt/domain.local

Reply from DC: KRB_ERROR: KDC_ERR_C_PRINCIPAL_UNKOWN

I then checked the security audit logs of the DC which responded and found the following:

 A Kerberos authentication ticket (TGT) was requested.

 Account Information:
         Account Name:      X509N:<S>CN=SQLInstanceName
     Supplied Realm Name:   domain.local
     User ID:           NULL SID

 Service Information:
     Service Name:      krbtgt/domain.local
     Service ID:        NULL SID

 Network Information:
     Client Address:        ::ffff:10.240.42.101
     Client Port:       58207

 Additional Information:
     Ticket Options:        0x40810010
     Result Code:       0x6
     Ticket Encryption Type:    0xffffffff
     Pre-Authentication Type:   -

 Certificate Information:
    Certificate Issuer Name:        
    Certificate Serial Number:  
    Certificate Thumbprint: 

So appears to be related to a certificate installed on the SQL machine, still dont have any clue why or whats wrong with said certificate. It's not expired etc.

windows-server-2008
security
windows-event-log
failovercluster
asked on Server Fault Oct 18, 2012 by floyd • edited Oct 20, 2012 by floyd

1 Answer

2

I used Microsoft Network Monitor to find the traffic causing this and found traffic between this SQL server and our AD2 server. The SQL server was sending a Kerberos AS_REQ for the computer account of the SQL Instance Name. The AD server would respond with a KDC_ERR_C_PRINCIPAL_UNKNOWN. I looked at the security logs on the AD2 server and discovered failure audits like the following:

 A Kerberos authentication ticket (TGT) was requested.

  Account Information:
     Account Name:      X509N:<S>CN=SQLInstanceName
     Supplied Realm Name:   domain.local
     User ID:           NULL SID

  Service Information:
     Service Name:      krbtgt/domain.local
     Service ID:        NULL SID

Which seems to be some certificate request. I then used SysInternals Process Monitor and found traffic from a custom service with the same timestamps. It was querying all of the certificate stores and not finding anything.

Disabling this service would stop the security events.

answered on Server Fault Oct 20, 2012 by floyd

User contributions licensed under CC BY-SA 3.0