We have two Windows 2008 R2 SP1 servers running in a SQL failover cluster. On one of them we are getting the following events in the security log every 30 seconds. The parts that are blank are actually blank. Has anyone seen similar issues, or assist in tracking down the cause of these events? No other event logs show anything relevant that I can tell.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/17/2012 10:02:04 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SERVERNAME.domainname.local
Description:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVERNAME$
Account Domain: DOMAINNAME
Logon ID: 0x3e7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x238
Caller Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: SERVERNAME
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Schannel
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Second event which follows every one of the above events
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/17/2012 10:02:04 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SERVERNAME.domainname.local
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000006d
Sub Status: 0x80090325
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Schannel
Authentication Package: Microsoft Unified Security Protocol Provider
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
EDIT UPDATE: I have a bit more information to add. I installed Network Monitor on this machine and did a filter for Kerberos traffic and found the following which corresponds to the timestamps in the security audit log.
A Kerberos AS_Request Cname: CN=SQLInstanceName Realm:domain.local Sname krbtgt/domain.local
Reply from DC: KRB_ERROR: KDC_ERR_C_PRINCIPAL_UNKOWN
I then checked the security audit logs of the DC which responded and found the following:
A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: X509N:<S>CN=SQLInstanceName
Supplied Realm Name: domain.local
User ID: NULL SID
Service Information:
Service Name: krbtgt/domain.local
Service ID: NULL SID
Network Information:
Client Address: ::ffff:10.240.42.101
Client Port: 58207
Additional Information:
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: 0xffffffff
Pre-Authentication Type: -
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
So appears to be related to a certificate installed on the SQL machine, still dont have any clue why or whats wrong with said certificate. It's not expired etc.
I used Microsoft Network Monitor to find the traffic causing this and found traffic between this SQL server and our AD2 server. The SQL server was sending a Kerberos AS_REQ for the computer account of the SQL Instance Name. The AD server would respond with a KDC_ERR_C_PRINCIPAL_UNKNOWN. I looked at the security logs on the AD2 server and discovered failure audits like the following:
A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: X509N:<S>CN=SQLInstanceName
Supplied Realm Name: domain.local
User ID: NULL SID
Service Information:
Service Name: krbtgt/domain.local
Service ID: NULL SID
Which seems to be some certificate request. I then used SysInternals Process Monitor and found traffic from a custom service with the same timestamps. It was querying all of the certificate stores and not finding anything.
Disabling this service would stop the security events.
User contributions licensed under CC BY-SA 3.0