locked
Multiple Audit Failures in Bursts RRS feed

  • 질문

  • Current configuration:
    Windows 7/10 terminals using a software that connects to Server 2012 Hyper-V Machine SQL Server for database.
    Software is giving error for users at (seemingly) random. Looks like this happens for a few users at a time in small bursts, which resolve themselves minutes later and they can then connect normally.

    Source: C:\MacolaESCode\9.7.600\e4slayer.dll\edb.cpp (line 3953)
    
    Cannot connect with 'DRIVER={SQL Server};Server=*redacted*;Database=*redacted*;TRUSTED_CONNECTION=YES'.
    
    [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
    
    SQL State: 28000
    
    DB error: 18452
    
    EDL error: An error has occurred in the execution of the ODBC function 'SQLDriverConnect'.

    Checking Security log on the server is showing multiple Audit Failures (Event 4625) for these users.

    General info on the error:

    An account failed to log on.
    
    Subject:
    	Security ID:		NULL SID
    	Account Name:		-
    	Account Domain:		-
    	Logon ID:		0x0
    
    Logon Type:			3
    
    Account For Which Logon Failed:
    	Security ID:		NULL SID
    	Account Name:		*redacted*
    	Account Domain:		*redacted*
    
    Failure Information:
    	Failure Reason:		An Error occured during Logon.
    	Status:			0xC000005E
    	Sub Status:		0x0
    
    Process Information:
    	Caller Process ID:	0x0
    	Caller Process Name:	-
    
    Network Information:
    	Workstation Name:	*computer name*
    	Source Network Address:	-
    	Source Port:		-
    
    Detailed Authentication Information:
    	Logon Process:		NtLmSsp 
    	Authentication Package:	NTLM
    	Transited Services:	-
    	Package Name (NTLM only):	-
    	Key Length:		0

    Details on the error:

    - System 
    
      - Provider 
    
       [ Name]  Microsoft-Windows-Security-Auditing 
       [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D} 
     
       EventID 4625 
     
       Version 0 
     
       Level 0 
     
       Task 12544 
     
       Opcode 0 
     
       Keywords 0x8010000000000000 
     
      - TimeCreated 
    
       [ SystemTime]  2019-07-09T14:55:17.093640400Z 
     
       EventRecordID 9850913 
     
       Correlation 
     
      - Execution 
    
       [ ProcessID]  600 
       [ ThreadID]  616 
     
       Channel Security 
     
       Computer *computer*.*domain*.com 
     
       Security 
     
    
    - EventData 
    
      SubjectUserSid S-1-0-0 
      SubjectUserName - 
      SubjectDomainName - 
      SubjectLogonId 0x0 
      TargetUserSid S-1-0-0 
      TargetUserName *username* 
      TargetDomainName *domain*
      Status 0xc000005e 
      FailureReason %%2304 
      SubStatus 0x0 
      LogonType 3 
      LogonProcessName NtLmSsp  
      AuthenticationPackageName NTLM 
      WorkstationName *computer name*
      TransmittedServices - 
      LmPackageName - 
      KeyLength 0 
      ProcessId 0x0 
      ProcessName - 
      IpAddress - 
      IpPort - 


    2019년 7월 9일 화요일 오후 6:22

답변

  • Thank you. Think I resolved the issue.

    My virtual switch was using the same default gateway as the physical NIC which seemed to be causing the issue.

    • 답변으로 표시됨 Blueshift 2019년 7월 10일 수요일 오후 6:45
    2019년 7월 10일 수요일 오후 4:59

모든 응답

  • I'd reach out to the application developer for help with this. They'll be in the best position to know how the applications works and connects. For general connectivity issues with SQL server ou can also try asking SQL experts over here.

    https://social.msdn.microsoft.com/Forums/sqlserver/en-US/home?category=sqlserver

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    2019년 7월 9일 화요일 오후 6:30
  • Hi Dave, thanks for the reply. This isn't just happening with that software. It seems to be happening any time an SQL connection request is made to that server. Getting audit failures using Access databases and OLAP cube reports that pull from that server as well.
    2019년 7월 10일 수요일 오후 2:21
  • Thank you, yes the users are accessing data from that server. However, the accounts are not locked out. They can connect normally eventually after the burst of failure time stops. It just seems that it throws failures in bursts for users at random. 

    I do see in System log Event 5719 for NETLOGON:

    This computer was not able to set up a secure session with a domain controller in domain *DOMAIN* due to the following:

    There are currently no logon servers available to service the logon request.
    This may lead to authentication problems. Make sure this computer is connected to the network.

    • 편집됨 Blueshift 2019년 7월 10일 수요일 오후 2:28
    2019년 7월 10일 수요일 오후 2:23
  •  It seems to be happening any time an SQL connection request is made to that server.

    I'd reach out to SQL experts over here.

    https://social.msdn.microsoft.com/Forums/sqlserver/en-US/home?category=sqlserver 

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    2019년 7월 10일 수요일 오후 2:25
  • Thank you. Think I resolved the issue.

    My virtual switch was using the same default gateway as the physical NIC which seemed to be causing the issue.

    • 답변으로 표시됨 Blueshift 2019년 7월 10일 수요일 오후 6:45
    2019년 7월 10일 수요일 오후 4:59