none
EventrySentry Entry for Security Auditing: 4625 by logon (SCCM 2012 SP1 CU1)

    Pergunta

  • I have an event log that states my WSUS service account is tryin the access my Exchange 2010 Server multiple time a day.  The failure reason state its an unknown user.  Why is this the only server that my WSUS service account is trying to access?  I have an SCCM 2012 server that is also my WSUS server and I am not getting this error with any other servers or workstations.  Just trying to see if there is a fix for this.

    EVENT LOG

    Security

    EVENT TYPE

    Audit Failure

    OPCODE

    Info

    SOURCE

    Microsoft-Windows-Security-Auditing

    CATEGORY

    Logon

    EVENT ID

    4625

    COMPUTERNAME  

    MY EXCHANGE 2010 SERVER NAME

    DATE / TIME  

    7/19/2013 5:19:49 AM

    MESSAGE

    An account failed to log on.
     
      Subject:
      Security ID: NULL SID
      Account Name: -
      Account Domain: -
      Logon ID: 0x0
     
      Logon Type: 3
     
      Account For Which Logon Failed:
      Security ID: NULL SID
      Account Name: WSUS
      Account Domain:
     
      Failure Information:
      Failure Reason: Unknown user name or bad password.
      Status: 0xc000006d
      Sub Status: 0xc0000064
     
      Process Information:
      Caller Process ID: 0x0
      Caller Process Name: -
     
      Network Information:
      Workstation Name: SCCM 2012 Server
      Source Network Address: -
      Source Port: -
     
      Detailed Authentication Information:
      Logon Process: NtLmSsp
      Authentication Package: NTLM
      Transited Services: -
      Package Name (NTLM only): -
      Key Length: 0

    sexta-feira, 19 de julho de 2013 16:06

Respostas

  • I have an event log that states my WSUS service account is tryin the access my Exchange 2010 Server multiple time a day.

    I have an SCCM 2012 server that is also my WSUS server and I am not getting this error with any other servers or workstations.

    I much more inclined to believe that this is Configuration Manager attempting to make the connection than I am a WSUS Server.

    Firstly because WSUS Servers do not initiate connections ... to anything except an upstream WSUS Server. Unless something got seriously confused somewhere and your WSUS server thinks the Exchange Server is its upstream server, it's not the WSUS server doing this.

    Secondly because there's any number of reasons as to why a Configuration Manager server might be doing this.. most notably to do a push client installation. (Is the ConfigMgr Client installed on the Exchange Server?) Or maybe, it's just trying to send an email (no doubt the most typical reason something would try to connect to an Exchange Server).

    And, of course, there are yet other possibilities not involving WSUS or Configuration Manager.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    sexta-feira, 19 de julho de 2013 17:30
    Moderador

Todas as Respostas

  • I have an event log that states my WSUS service account is tryin the access my Exchange 2010 Server multiple time a day.

    I have an SCCM 2012 server that is also my WSUS server and I am not getting this error with any other servers or workstations.

    I much more inclined to believe that this is Configuration Manager attempting to make the connection than I am a WSUS Server.

    Firstly because WSUS Servers do not initiate connections ... to anything except an upstream WSUS Server. Unless something got seriously confused somewhere and your WSUS server thinks the Exchange Server is its upstream server, it's not the WSUS server doing this.

    Secondly because there's any number of reasons as to why a Configuration Manager server might be doing this.. most notably to do a push client installation. (Is the ConfigMgr Client installed on the Exchange Server?) Or maybe, it's just trying to send an email (no doubt the most typical reason something would try to connect to an Exchange Server).

    And, of course, there are yet other possibilities not involving WSUS or Configuration Manager.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    sexta-feira, 19 de julho de 2013 17:30
    Moderador
  • I do show an email from our WSUS email address sends an email at the same time these events are happening. THe ConfigMgr Client is already installed on the Exchange Server.  Wonder if this is the reason, and it will just be this way :)
    sexta-feira, 26 de julho de 2013 14:29
  • I do show an email from our WSUS email address sends an email at the same time these events are happening.

    I'll vote for this option.

    When the email notification(s) were configured, were they configured to authenticate, and if so, were they configured with the proper authentication credentials?

    On the "E-Mail Server" tab of Options -> E-Mail Notifications, what is configured in the "Logon Information" section?


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    sexta-feira, 26 de julho de 2013 20:36
    Moderador