4625 NULL SID Logon Type 3 Expand / Collapse
Author
Message
Posted 3/7/2017 4:22:59 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/13/2017 10:58:14 AM
Posts: 1, Visits: 2
Hello All,

One server in my Windows domain is seeing many logon failures that appear to originate from the server's own AD account, but it's logon type is 3, meaning that it is coming over the network. Most of the fields in the log message are blank, so there isn't enough context to figure out what's happening. There are no other accompanying events to provide context either.

This is an Exchange 2013 CAS server that sits behind a load balancer and accepts client connections from the internet. If I'm not mistaken, Outlook authentication failures would get recorded to the IIS logs, so I've ruled that out. The Process ID points to the lsass.exe process as expected.

Here is the text:

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: MACHINENAME$
Account Domain: DOMAINNAME

Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0x0

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: MACHINENAME
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process:
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

When I run "net session" I can see that I have some open SMB sessions open from the local machine:

Computer User name Client Type Opens Idle time

-------------------------------------------------------------------------------
\\192.168.41.15 MACHINENAME$ 0 00:00:02
\\[::1] MACHINENAME$ 0 00:09:58
\\[::1] MACHINENAME$ 1 00:00:23
The command completed successfully.

I totally get that Windows uses NetBIOS to talk to itself and other computers constantly, but why would the logons from the local system be failing?
Post #7325
Posted 3/17/2017 8:00:40 AM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
Is Netbios disabled on that machine? This may account for the error indication in the event and the failure.
Post #7336
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 10:50pm