T
tlpitch
Guest
For the past few months I've been experiencing a lot of Event ID 4625 on my Exchange 2013 CU23. They're occurring at a rate of roughly 3-5 per minute every couple of minutes. It's driving me nuts and filling my security log which means my logs fill up and truncate leaving me with less than 24-hours based on current configurations.
I'm posting here because I have exhausted Google, Microsoft forums, Spiceworks, etc. I feel confident saying I've read just about every other issue but I can't find one that matches my description with a functioning resolution.
I found this person which has the same issue, but when I tried the recommended fixes it didn't resolve it for me: social.technet.microsoft.com/Forums/en-US/d3e6959c-6e81-4c66-a905-594ef7aa93a3/constant-null-sid-schannel-authentication-errors-on-ex2013-cu14-servers-event-4625?forum=exchangesvradmin
I've created or checked the following:
I'm here because I'm at a loss and don't know where else to turn.
Output from Event Details:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0x80090325
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Schannel
Authentication Package: Microsoft Unified Security Protocol Provider
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
System
-Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID4625
Version0
Level0
Task12544
Opcode0
Keywords0x8010000000000000
-TimeCreated
[ SystemTime] 2019-09-19T13:27:21.225365000Z
EventRecordID670033201
Correlation
-Execution
[ ProcessID] 660
[ ThreadID] 5208
ChannelSecurity
Computer<hostname>.<domain>
Security
-EventData
SubjectUserSidS-1-0-0
SubjectUserName-
SubjectDomainName-
SubjectLogonId0x0
TargetUserSidS-1-0-0
TargetUserName
TargetDomainName
Status0xc000006d
FailureReason%%2304
SubStatus0x80090325
LogonType3
LogonProcessNameSchannel
AuthenticationPackageNameMicrosoft
Unified Security Protocol Provider
WorkstationName-
TransmittedServices-
LmPackageName-
KeyLength0
ProcessId0x0
ProcessName-
IpAddress-
IpPort-
Continue reading...
I'm posting here because I have exhausted Google, Microsoft forums, Spiceworks, etc. I feel confident saying I've read just about every other issue but I can't find one that matches my description with a functioning resolution.
I found this person which has the same issue, but when I tried the recommended fixes it didn't resolve it for me: social.technet.microsoft.com/Forums/en-US/d3e6959c-6e81-4c66-a905-594ef7aa93a3/constant-null-sid-schannel-authentication-errors-on-ex2013-cu14-servers-event-4625?forum=exchangesvradmin
I've created or checked the following:
- KB3002657 is NOT installed on any of my DCs
- Rebooted (of course)
- Created the following registry keys: DisbaleStrictNameChecking & BackConnectionHostNames
- Modified local GPO for LAN Manager Authentication Level = Send NTLMv2 response only. Refuse LM & NTLM (have not rebooted since making this change 30 minutes ago)
- Evaluated events before and following the Event 4625 but found no evidence to steer me in any direction
- Disabled AV
- Verified scheduled tasks are running properly (they're using the domain admin account)
- No Windows services are running as a user account
I'm here because I'm at a loss and don't know where else to turn.
Output from Event Details:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0x80090325
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Schannel
Authentication Package: Microsoft Unified Security Protocol Provider
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
System
-Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID4625
Version0
Level0
Task12544
Opcode0
Keywords0x8010000000000000
-TimeCreated
[ SystemTime] 2019-09-19T13:27:21.225365000Z
EventRecordID670033201
Correlation
-Execution
[ ProcessID] 660
[ ThreadID] 5208
ChannelSecurity
Computer<hostname>.<domain>
Security
-EventData
SubjectUserSidS-1-0-0
SubjectUserName-
SubjectDomainName-
SubjectLogonId0x0
TargetUserSidS-1-0-0
TargetUserName
TargetDomainName
Status0xc000006d
FailureReason%%2304
SubStatus0x80090325
LogonType3
LogonProcessNameSchannel
AuthenticationPackageNameMicrosoft
Unified Security Protocol Provider
WorkstationName-
TransmittedServices-
LmPackageName-
KeyLength0
ProcessId0x0
ProcessName-
IpAddress-
IpPort-
Continue reading...