An account failed to log on unknown username or password. Causing Login audit failures RRS feed

  • General discussion

  • I have a SBS11 Essentials server that is getting audit Failures over and over again. There computer account says it's the SBS11 server it's self.  It says unknown user name or bad password. I have checked for scheduled tasks, backup jobs, services and non of them are using any special user accounts.  I have used MS network monitor and can't find anything helpful to lead to the issue.  All computers in the network are running Windows 7.  The domain functional level is 2008 R2.

    I get a the 4768 event ID about a Kerberos event and then just after I get a Event ID 4625 account failure with Logon Type 3.  I have includes the events below.  I need to figure what is causing the audit failures as my GFI Test Hacker alert is catching it every morning.  Disabling the Test Hacker alert is not a option.  I have used Process Explorer also but can't seem to pin it down.  I also enabled Kerberos logging. http://support.microsoft.com/kb/262177?wa=wsignin1.0.  All event codes state its a unknown or no existing account but how do I stop it from happening?

    This is from the System Event log

    A Kerberos Error Message was received:

    on logon session TH.LOCAL\thsbs11e$

    Client Time:

    Server Time: 14:59:53.0000 3/4/2014 Z


    Extended Error:

    Client Realm:

    Client Name:

    Server Realm: TH.LOCAL

    Server Name: krbtgt/TH.LOCAL

    Target Name: krbtgt/TH.LOCAL@TH.LOCAL

    Error Text:

    File: e

    Line: 9fe

    Error Data is in record data.

    This is from the Security Event log

    A Kerberos authentication ticket (TGT) was requested.

    Account Information:

    Account Name: S-1-5-21-687067891-4024245798-968362083-1000

    Supplied Realm Name: TH.LOCAL

    User ID: NULL SID

    Service Information:

    Service Name: krbtgt/TH.LOCAL

    Service ID: NULL SID

    Network Information:

    Client Address: ::1

    Client Port: 0

    Additional Information:

    Ticket Options: 0x40810010

    Result Code: 0x6

    Ticket Encryption Type: 0xffffffff

    Pre-Authentication Type: -

    Certificate Information:

    Certificate Issuer Name:

    Certificate Serial Number:

    Certificate Thumbprint:

    Certificate information is only provided if a certificate was used for pre-authentication.

    Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

    I then get teh following error in the next event

    An account failed to log on.


    Security ID: SYSTEM

    Account Name: THSBS11E$

    Account Domain: TH

    Logon ID: 0x3e7

    Logon Type: 3

    Account For Which Logon Failed:

    Security ID: NULL SID

    Account Name:

    Account Domain:

    Failure Information:

    Failure Reason: Unknown user name or bad password.

    Status: 0xc000006d

    Sub Status: 0xc0000064

    Process Information:

    Caller Process ID: 0x25c

    Caller Process Name: C:\Windows\System32\lsass.exe

    Network Information:

    Workstation Name: THSBS11E

    Source Network Address: -

    Source Port: -

    Detailed Authentication Information:

    Logon Process: Schannel

    Authentication Package: Kerberos

    Transited Services: -

    Package Name (NTLM only): -

    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.

    - Transited services indicate which intermediate services have participated in this logon request.

    - Package name indicates which sub-protocol was used among the NTLM protocols.

    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    • Changed type Andy Qi Tuesday, March 18, 2014 5:04 PM
    Tuesday, March 4, 2014 8:45 PM

All replies

  • I opened a case for a guy as Essentials throws off these kerb errors and we're told to ignore them.

    Let me see if he got to the root cause.

    Unfortunately TechNet isn't coming back, sorry folks :-(

    Wednesday, March 5, 2014 1:49 AM
  • Okay great I look forward to your response as I can't find any definitive answer searching the Internet.
    Wednesday, March 5, 2014 2:36 PM
  • Well I opened the case for him and he never followed up with Microsoft :-(

    It's a kerberos issue, we're told to ignore it.  Would you be willing to be patient and stubborn and work with CSS to at least understand what's going on better?  I can tell you it's normal with Essentials but not the exact technical reason it's happening.

    Unfortunately TechNet isn't coming back, sorry folks :-(

    Wednesday, March 5, 2014 2:56 PM
  • Okay that is frustrating that is just happens to ignore it.  The problem is I added the GFI monitor to the server a few months back and the test hacker check sends a email every morning because it sees the Logon ID type 3 failure.  Who is CSS? Yes I would like to get this resolved. Thanks for the help.
    Wednesday, March 5, 2014 4:23 PM
  • Microsoft support.  Email me at susan-at-msmvps.com (change the -at- to @) and I'll set up a support case for you.

    Unfortunately TechNet isn't coming back, sorry folks :-(

    Wednesday, March 5, 2014 4:43 PM
  • Okay great. We have already used a few of our free MS Partner support cases this year already. This issue doesn't really warrant a support chase. If it's a known issue I will document this and increase my GFI hacker check. Thanks for the help.
    Wednesday, March 5, 2014 7:51 PM