Windows-Server-2008

每 30 秒系統帳戶登錄失敗

  • October 20, 2012

我們有兩台 Windows 2008 R2 SP1 伺服器在 SQL 故障轉移集群中執行。在其中一個上,我們每 30 秒在安全日誌中收到以下事件。空白的部分實際上是空白的。有沒有人看到類似的問題,或協助追查這些事件的原因?沒有其他事件日誌顯示我可以告訴的任何相關內容。

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/17/2012 10:02:04 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SERVERNAME.domainname.local
Description:
An account failed to log on.

Subject:
Security ID:       SYSTEM
Account Name:      SERVERNAME$
Account Domain:        DOMAINNAME
Logon ID:      0x3e7

Logon Type:            3

Account For Which Logon Failed:
   Security ID:        NULL SID
   Account Name:       
   Account Domain:     

Failure Information:
   Failure Reason:     Unknown user name or bad password.
   Status:         0xc000006d
   Sub Status:     0xc0000064

Process Information:
    Caller Process ID: 0x238
    Caller Process Name:   C:\Windows\System32\lsass.exe

Network Information:
    Workstation Name:  SERVERNAME
    Source Network Address:    -
    Source Port:       -

Detailed Authentication Information:
    Logon Process:     Schannel
    Authentication Package:    Kerberos
    Transited Services:    -
    Package Name (NTLM only):  -
    Key Length:        0

上述每一個事件之後的第二個事件

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/17/2012 10:02:04 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SERVERNAME.domainname.local
Description:
An account failed to log on.

Subject:
    Security ID:       NULL SID
    Account Name:      -
    Account Domain:        -
    Logon ID:      0x0

Logon Type:            3

Account For Which Logon Failed:
    Security ID:       NULL SID
    Account Name:      
    Account Domain:        

 Failure Information:
    Failure Reason:        An Error occured during Logon.
    Status:            0xc000006d
    Sub Status:        0x80090325

Process Information:
     Caller Process ID:    0x0
     Caller Process Name:  -

Network Information:
    Workstation Name:  -
    Source Network Address:    -
    Source Port:       -

Detailed Authentication Information:
    Logon Process:     Schannel
    Authentication Package:    Microsoft Unified Security Protocol Provider
    Transited Services:    -
    Package Name (NTLM only):  -
    Key Length:        0

編輯更新: 我有更多資訊要添加。我在這台機器上安裝了網路監視器並對 Kerberos 流量進行了過濾,發現以下內容與安全審計日誌中的時間戳相對應。

A Kerberos AS_Request Cname: CN=SQLInstanceName Realm:domain.local Sname krbtgt/domain.local

來自 DC 的回复:KRB_ERROR: KDC_ERR_C_PRINCIPAL_UNKOWN

然後我檢查了響應的 DC 的安全審計日誌,發現以下內容:

A Kerberos authentication ticket (TGT) was requested.

Account Information:
        Account Name:      X509N:<S>CN=SQLInstanceName
    Supplied Realm Name:   domain.local
    User ID:           NULL SID

Service Information:
    Service Name:      krbtgt/domain.local
    Service ID:        NULL SID

Network Information:
    Client Address:        ::ffff:10.240.42.101
    Client Port:       58207

Additional Information:
    Ticket Options:        0x40810010
    Result Code:       0x6
    Ticket Encryption Type:    0xffffffff
    Pre-Authentication Type:   -

Certificate Information:
   Certificate Issuer Name:        
   Certificate Serial Number:  
   Certificate Thumbprint: 

所以似乎與安裝在 SQL 機器上的證書有關,仍然不知道該證書為什麼或有什麼問題。沒有過期之類的。

我使用 Microsoft Network Monitor 查找導致此問題的流量,並發現此 SQL 伺服器和我們的 AD2 伺服器之間的流量。SQL 伺服器正在為 SQL 實例名稱的電腦帳戶發送 Kerberos AS_REQ。AD 伺服器將響應 KDC_ERR_C_PRINCIPAL_UNKNOWN。我查看了 AD2 伺服器上的安全日誌,發現失敗審計如下:

A Kerberos authentication ticket (TGT) was requested.

 Account Information:
    Account Name:      X509N:<S>CN=SQLInstanceName
    Supplied Realm Name:   domain.local
    User ID:           NULL SID

 Service Information:
    Service Name:      krbtgt/domain.local
    Service ID:        NULL SID

這似乎是一些證書請求。然後我使用 SysInternals Process Monitor 並找到來自具有相同時間戳的自定義服務的流量。它正在查詢所有證書儲存,但沒有找到任何東西。

禁用此服務將停止安全事件。

引用自:https://serverfault.com/questions/439591