Windows-Server-2008
每 30 秒系統帳戶登錄失敗
我們有兩台 Windows 2008 R2 SP1 伺服器在 SQL 故障轉移集群中執行。在其中一個上,我們每 30 秒在安全日誌中收到以下事件。空白的部分實際上是空白的。有沒有人看到類似的問題,或協助追查這些事件的原因?沒有其他事件日誌顯示我可以告訴的任何相關內容。
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/17/2012 10:02:04 PM Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: SERVERNAME.domainname.local Description: An account failed to log on. Subject: Security ID: SYSTEM Account Name: SERVERNAME$ Account Domain: DOMAINNAME Logon ID: 0x3e7 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x238 Caller Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: SERVERNAME Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Schannel Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0
上述每一個事件之後的第二個事件
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/17/2012 10:02:04 PM Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: SERVERNAME.domainname.local Description: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Account Domain: Failure Information: Failure Reason: An Error occured during Logon. Status: 0xc000006d Sub Status: 0x80090325 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Schannel Authentication Package: Microsoft Unified Security Protocol Provider Transited Services: - Package Name (NTLM only): - Key Length: 0
編輯更新: 我有更多資訊要添加。我在這台機器上安裝了網路監視器並對 Kerberos 流量進行了過濾,發現以下內容與安全審計日誌中的時間戳相對應。
A Kerberos AS_Request Cname: CN=SQLInstanceName Realm:domain.local Sname krbtgt/domain.local
來自 DC 的回复:KRB_ERROR: KDC_ERR_C_PRINCIPAL_UNKOWN
然後我檢查了響應的 DC 的安全審計日誌,發現以下內容:
A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: X509N:<S>CN=SQLInstanceName Supplied Realm Name: domain.local User ID: NULL SID Service Information: Service Name: krbtgt/domain.local Service ID: NULL SID Network Information: Client Address: ::ffff:10.240.42.101 Client Port: 58207 Additional Information: Ticket Options: 0x40810010 Result Code: 0x6 Ticket Encryption Type: 0xffffffff Pre-Authentication Type: - Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint:
所以似乎與安裝在 SQL 機器上的證書有關,仍然不知道該證書為什麼或有什麼問題。沒有過期之類的。
我使用 Microsoft Network Monitor 查找導致此問題的流量,並發現此 SQL 伺服器和我們的 AD2 伺服器之間的流量。SQL 伺服器正在為 SQL 實例名稱的電腦帳戶發送 Kerberos AS_REQ。AD 伺服器將響應 KDC_ERR_C_PRINCIPAL_UNKNOWN。我查看了 AD2 伺服器上的安全日誌,發現失敗審計如下:
A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: X509N:<S>CN=SQLInstanceName Supplied Realm Name: domain.local User ID: NULL SID Service Information: Service Name: krbtgt/domain.local Service ID: NULL SID
這似乎是一些證書請求。然後我使用 SysInternals Process Monitor 並找到來自具有相同時間戳的自定義服務的流量。它正在查詢所有證書儲存,但沒有找到任何東西。
禁用此服務將停止安全事件。