Assistance with Audit Failure 4625 messages caused by WCF netTcpBinding with clientCredentialType Certificate

4

We are having a considerable number of Audit Failure Events (4652) coming through to the Windows Event Log, caused by our WCF services.

Question

Does anyone know why we could be receiving these audit log entries, and how can we stop them from occurring WITHOUT removing certificate security on our end points?

Any assistance greatly appreciated!

Things Tried

  • DisableLoopbackCheck and BackConnectionHostNames registry fixes
  • Changes to Behavior configuration such as:
  • adding trustedStoreLocation="LocalMachine" to all authentication elements
  • mirroring binding configuration from Service1 to Service2

Background

  • System utilises two WCF services
  • Both hosted as Windows Services
  • Running under 'Local System' Account
  • Service1 calls into Service2
  • Binding and Behavior information at end of this question
  • We are using a custom SHA1RSA certificate for Peer Trust
  • Certificate is deployed to the Local Trusted People and Trusted Root Certification Authorities

When Service2 calls into Service1, we get two failed audit entries into the Windows Security Event Log on every call. However, the call succeeds without any issues and data is returned successfully.

Issue only occurs when binding uses 'clientCredentialType="Certificate"' under the security element within WCF binding configuration

Event Log Entry 1

An account failed to log on.

Subject:
    Security ID:        SYSTEM
    Account Name:       COMPUTERNAME$
    Account Domain:     DOMAINNAME
    Logon ID:           0x3E7

Logon Type:         3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       
    Account Domain:     

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:             0xC000006D
    Sub Status:         0xC0000064

Process Information:
    Caller Process ID:  0x21c
    Caller Process Name:    C:\Windows\System32\lsass.exe

Network Information:
    Workstation Name:   COMPUTERNAME
    Source Network Address: -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:      Schannel
    Authentication Package: Kerberos
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

Event Log Entry 2

An account failed to log on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:           0x0

Logon Type:         3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       
    Account Domain:     

Failure Information:
    Failure Reason:     An Error occured during Logon.
    Status:             0xC000006D
    Sub Status:         0x80090325

Process Information:
    Caller Process ID:      0x0
    Caller Process Name:    -

Network Information:
    Workstation Name:   -
    Source Network Address: -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:      Schannel
    Authentication Package: Microsoft Unified Security Protocol Provider
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

Service1 and Service2 Binding Configuration

<netTcpBinding>
    <binding name="Service1Binding" 
             maxBufferPoolSize="0" 
             maxReceivedMessageSize="2147483647" 
             transactionFlow="true"
             portSharingEnabled="true"
             transferMode="Streamed">
      <readerQuotas maxArrayLength="2147483647" 
                    maxBytesPerRead="2147483647" 
                    maxStringContentLength="2147483647"
                    maxDepth="2147483647" 
                    maxNameTableCharCount="2147483647" />
      <security mode="Transport">
        <transport clientCredentialType="Certificate" />
      </security>
    </binding>
  </netTcpBinding>

Service1 Behavior Configuration

<behavior name="Service1Behavior">
          <serviceThrottling maxConcurrentSessions="2147483647" maxConcurrentInstances="2147483647" maxConcurrentCalls="2147483647" />
          <dataContractSerializer maxItemsInObjectGraph="2147483647" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceAuthorization principalPermissionMode="UseWindowsGroups" />
          <serviceCredentials>
            <serviceCertificate findValue="CN=CertificateName" x509FindType="FindBySubjectDistinguishedName" storeLocation="LocalMachine" storeName="Root" />
            <clientCertificate>
              <authentication certificateValidationMode="PeerTrust"></authentication>
            </clientCertificate>
              <peer>
                <peerAuthentication certificateValidationMode="PeerTrust" />
                <certificate findValue="CN=CertificateName" x509FindType="FindBySubjectDistinguishedName" storeLocation="LocalMachine" storeName="Root" />
              </peer>
          </serviceCredentials>
    </behavior>

Service2 Behavior Configuration

<behavior name="Service2Behavior">
          <dataContractSerializer maxItemsInObjectGraph="2147483647" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceAuthorization principalPermissionMode="UseWindowsGroups" />
          <serviceCredentials>
            <serviceCertificate findValue="CN=CertificateName"
                              x509FindType="FindBySubjectDistinguishedName"
                              storeLocation="LocalMachine"
                              storeName="Root"/>
            <clientCertificate>
              <authentication certificateValidationMode="PeerTrust"></authentication>
            </clientCertificate>
          </serviceCredentials>
        </behavior>
c#
wcf
security
ssl
client-certificates
asked on Stack Overflow Dec 9, 2016 by Will • edited Dec 9, 2016 by Kjartan

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0