none
Windows 2008 member server, repeating event 4625 in the security log

    Question

  • Hello,

       I'm having an issue with a member server on our 2008 domain, security log is filling up with event 4625, here are the details:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          4/23/2014 2:04:42 PM
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      my.member.server
    Description:
    An account failed to log on.

    Subject:
     Security ID:  NULL SID
     Account Name:  -
     Account Domain:  -
     Logon ID:  0x0

    Logon Type:   3

    Account For Which Logon Failed:
     Security ID:  NULL SID
     Account Name:  
     Account Domain:  

    Failure Information:
     Failure Reason:  Unknown user name or bad password.
     Status:   0xc000006d
     Sub Status:  0xc000006a

    Process Information:
     Caller Process ID: 0x0
     Caller Process Name: -

    Network Information:
     Workstation Name: -
     Source Network Address: 10.0.0.115
     Source Port:  51366

    Detailed Authentication Information:
     Logon Process:  Kerberos
     Authentication Package: Kerberos
     Transited Services: -
     Package Name (NTLM only): -
     Key Length:  0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
     - Transited services indicate which intermediate services have participated in this logon request.
     - Package name indicates which sub-protocol was used among the NTLM protocols.
     - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
        <EventID>4625</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12544</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2014-04-23T18:04:42.197Z" />
        <EventRecordID>99893119</EventRecordID>
        <Correlation />
        <Execution ProcessID="744" ThreadID="844" />
        <Channel>Security</Channel>
        <Computer>KLINEWEB.kline.local</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-0-0</Data>
        <Data Name="SubjectUserName">-</Data>
        <Data Name="SubjectDomainName">-</Data>
        <Data Name="SubjectLogonId">0x0</Data>
        <Data Name="TargetUserSid">S-1-0-0</Data>
        <Data Name="TargetUserName">
        </Data>
        <Data Name="TargetDomainName">
        </Data>
        <Data Name="Status">0xc000006d</Data>
        <Data Name="FailureReason">%%2313</Data>
        <Data Name="SubStatus">0xc000006a</Data>
        <Data Name="LogonType">3</Data>
        <Data Name="LogonProcessName">Kerberos</Data>
        <Data Name="AuthenticationPackageName">Kerberos</Data>
        <Data Name="WorkstationName">-</Data>
        <Data Name="TransmittedServices">-</Data>
        <Data Name="LmPackageName">-</Data>
        <Data Name="KeyLength">0</Data>
        <Data Name="ProcessId">0x0</Data>
        <Data Name="ProcessName">-</Data>
        <Data Name="IpAddress">10.0.0.115</Data>
        <Data Name="IpPort">51366</Data>
      </EventData>
    </Event>

    The IP address that appears in source network address all belong to VPN clients. And it looks like its only happening with 4-5 IPs, all of which are VPN clients. These clients shouldn't be connecting to anything on this server, which is why its puzzling. Our DC is Windows 2008 and the VPN server is another member server on the domain. I suspect the issue is at the client PCs since there are many other VPN clients connected that don't generate the event ID.

    Can anyone tell what the issue might be?

    Thanks.

    Wednesday, April 23, 2014 6:45 PM

Answers

  • Hi Rayminette,

    There are multiple login sources that could possibly be generating the errors:

    1. FTP logins - check your FTP log to see if login failures are showing up at the same time.
    2. Logins via Basic Authentication over http or https (simple, but possibly dangerous, way to password-protect a web site).
    3. ASP scripts.

    This logon type 8 indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. Windows server doesn’t allow connection to shared file or printers with clear text authentication. The only situation I’m aware of are logons from within an ASP script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication mode. In both cases the logon process in the event’s description will list advapi. Basic authentication is only dangerous if it isn’t wrapped inside an SSL session (i.e. https). As far as logons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source code and thereby gain the password.

    Reference from:

    What is the source of thousands of 4625 Logon Failure errors with Logon Type 8 (NetworkCleartext)?

    I hope this helps.

    Friday, April 25, 2014 6:05 AM