I checked the IP address 192.168.0.145 in our network. But it does not exist. Why this event log keeps showing?

ID= 4625; Src= Microsoft-Windows-Security-Auditing; User= ; Catg= 12544; D/T= 07/02/2014 13:44:23; EventDesc= An account failed to log on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name:
Account Domain:
Failure Information:
Failure Reason: %#04
Status: 0x80090308
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name:
Source Network Address: 192.168.0.145
Source Port: 51982
Detailed Authentication Information:
Logon Process:
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Hi,

I am trying to create a new self signed SSL cert in IIS7.5 and running into some issues.  The system was working fine until the old certificate expired - as it had expired I could not renew it, so I removed it from IIS and the certificate store (computer Store).

If I attempt to generate a new self signed cert through IIS it all appears to work correctly and the cert appears in the IIS Server Certificates pane - however if I then exit that section and go back in i receive the popup error 'Failed to get the certificate'. If I OK the error I am presented with an empty server certificates screen with an alert on the right hand top 'Could not retrieve the certificates'.  If I check in certificate manager the new self signed cert is in the computer store under personal.

If I then try and add an HTTPS binding to IIS I receieve a popup error 'Item has already been added. Key in Dictionary'. 

Help please! I am out of ideas...

Many thanks

Matt

Hello. I posted this in the SBS section, but i received no replies. Maybe this question fits here better i hope.

I am using windows SBS 2008.

Windows Server Standard FE SP2

ver   6.0.6002

I am trying to run Windows updates.

i receive   Windows modules installer service terminated - specified module cannot be found

I am trying to work through KB959077.

I do not have the   C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_<var>TrustedInstaller ID</var>_none   directory that the KB959077 references..       there is no "servicing stack" directory

I could not locate information on what to do when encountering the absence of this directory. Does anyone have any ideas on what i might try next?

thank you.....

Hi all

I'm sorry if this is the wrong forum to ask this question. Also my knowledge in this area is somewhat limited, which I why I need your help :-)

We use wireless networks primarily in my company for all our clients and use a certificate to authenticate to the network. This certificate expires after 1 month and we automatically renew them 1 week before expiry. Relatively often we have users that are not connected to the network for a few weeks or more and then the certificate expires before being renewed. Then we have to connect them to the wired network to get the certificate updated, so they can connect to the wireless network again.

What is the correct approach to solve this issue? We feel extending the life of the certificate would be a too big security compromise. Is there some way you could automatically allow an expired certificate briefly with the sole purpose of renewing the certificate? Or how would you normally resolve this issue?

Thanks for any help/knowledge you can provide :-)

Hi,

I just wanted to confirm that LDAP over SSL is working properly on our domain controller.  When I connect using LDP.exe on my Windows 7 computer, I get the following output:

It looks like it is working, but I wasn't sure if the Error 0's mean there is some sort of problem.

Also, when I run a Simple bind with my credentials, I get the following output:

Finally, when I run a Bind as currently logged on user (with Encrypt traffic after bind checked), I get the following output:

I followed all the instructions found in Microsoft article KB-321051 to get LDAP over SSL working with a valid 3rd party certificate on one of our Windows 2008 R2 domain controllers.  However, when I test Active Directory Authentication on our WatchGuard Management Server after importing the CA certificate, the test fails.  In order to use Active Directory Authentication, LDAPS (LDAP over SSL) must be enabled in the Active Directory domain and I am not 100% sure that it is enabled properly.

Any advice or additional insight would be greatly appreciated.

Thanks!

Hello,

My goal is to sign Excel 2007 macros intended for intraoffice use only, by a team of five people. I have tried the Office Tools selfsign.exe certificate, but my coworkers get warnings. So I'm trying to use a Code Signing certificate issued by our local Windows Server 2012. I have found and followed the instructions for doing so (briefly, I have added the local CA to my Trusted Root Certification Authorities, have enabled Code Signing template on the server and allowed enrollment, and then I have requested, received, and installed a Code Signing certificate using the https://servername/certsrv method), and everything appears to have worked. The local CA appears in my Trusted Root Certification Authorities, and the Code Signing certificate appears in my Personal certificates tab, along with the aforementioned Office Tools certificate.

The trouble is that when I try to sign my code in Excel Visual Basic (Tools/Digital Signature), the certificate does not appear to choose from. My only option is the self-signed certificate. If I delete the self certificate, I get a message - part of a message, really - that there are "no certificates that meet the application..." (if there's a way to expand that and see the end of that sentence, I can't find it.)

Is there something wrong with a certificate based on the built-in Code Signing template? Is there a step I've missed to get Excel to recognize it? With so little information, I really don't know where to go from here.

For the DoD STIGS, they want you to unregister the File System Component and their steps are to unregister scrrun.dll

I'm on Win2008 R2, SP1, 64bit.  I open a command prompt with 'run as administrator', I try

regsvr32.exe scrrun.dll /u

or

regsvr32.exe c:\windows\system32\scrrun.dll

And I've tried with the regsvr32.exe that is in c:\windows\syswow64 

Everytime I get the same error 'The module 'c:\windows\system32\scrrun.dll' was loaded, but the call to DllUnregisterServer failed with error code 0x8002801c.'

Hits with google infer not running as administrator (but I am) or registry permissions (didn't see anything glaring with Procmon).  This is a vanilla box except a few minor adds like IIS, SQL Server 2008 R2.

What can I do to be able to conform to this STIG on Win2008 R2 64bit?

I need to accomplish the following:

 The goal is for us all to have access to read all the files associated with the audit. Only person posting the file should be able to modify it.

Would this be:

Everyone: Read/Write/Create

Owner: Modify/Delete

As right now they all can read/write/delete any document they would like.

Hi,
We have 300 employees in our organization and now we'd like to provide them new services, but keep their devices under our control. Main questions are:
- due work activities and our job structure, a lot of employees are working at home. Some of them use our laptops (bough by our company) but some of them use private
computers. Tey're using our published service OWA and Windows PPTP VPN. How we can control both devices? NAP with dedicated certificates or should we use any other secure policy?
- similar like previous question, just move on to smartphones and tablets. How we can control mobile devices while connecting to our infrastructure? Which platform, SCCM or... ?

Please advise way when I can have a look, or technology. Prefered way is Microsoft PKI because we're using it at the moment for some secure communication.
Thnx!

Hi All, 

I have an issue where a particular account keeps locking and was trying to troubleshoot by looking at the security logs on our DC's using eventcombMT searching for 4740 ID's. I can't find any in the logs at all, even after deliberatly locking test accounts I cannot find any events returning 4740 only 4625 which aren't much help. 

I'm beginning to think the DC's aren't logging this information, so looked a little further. 

All the Audit settings are configured within the default Domain Controller GP which are being applied (checked by gpresult /H gp.htm report)

I also checked with auditpol

yet no events are being logged for 4740.

Any ideas?

I installed a new server for a client 3 months ago.  The new server runs Windows Server 2012 Standard.  Everything was fine until randomly i could not open the Chrome icon on the taskbar.  Error said the following : "windows cannot access the specified device path or file. you may not have the appropriate permission"

I tried to use the control panel but got the same error.  I can, however, using classic shell start menu, right click on control panel and click open to get to it.  If using the start menu i click on control panel the little windows extends and says "empty".  As of note I uninstalled classic shell to no avail.

Trying to run sfc /scannow generates the following error "Windows Resource Protection could not perform the requested operation"

I also cannot open the hosts file, access denied.  I changed ownership and granted all access, still nothing.

In the notification area, the network icon has a red x and says "Connection Status: Unknown" yet internet and network access is uninhibited.

Using the "subinacl /subdirectories c:\*.* /grant=administrator" changed nothing.  

I decided to disable UAC via registry key after which I rebooted and could no longer login.  I received the following error: "The sign-in method you're trying to use isn't allowed.  For more info, contact your network administrator."

In response I attempted to run gpedit and I went to Computer Configuration> Security Settings> Local Policies> User Rights Assignment| and checked the Deny log on locally settings. Only SBS Remote Operators, SBS STS Worker, and Support_38945a0 were listed, none of which are groups that the administrator is a member of.  Also, this led to the discovery that all settings within gpedit are grayed out and cannot be changed.

To fix, I logged in as another user and removed the administrator from the Domain Power Users group which fixed the login issue.  I am unable to perform windows updates.  There are no virus or malware detected by Trend Micro, RogueKiller, TDSSKiller, MalwareBytes, or RKill.

CCleaner did not fix.  

PLEASE HELP!!!

After much discussion I decided the best approach was to clean eveything up and start over. I went through the KB on decommissioning an enterprise CA and Subordinate CA, install a new standalone root, and a new enterprise subordinate CA. Everything appeared to be working with one exception. The new Enterprise Subordinate does not show up in the Certificate Authorities section of Public key services in AD Sites&Services. It does show up in AIA, CDP and Enrollment services. The standalone root is trusted and I set up group policy with the certificate of the Enterprise Subordinate as a trusted intermediate. The templates were configured also as well as autoenrollment for computers but so far only the DCs and my workstation has received certificates. I am sure I am missing something but after 100s of pages and artcle after article I don't see it. I ran the certutil -viewstore query and it doesn't see it either and it doesn't tell me how to fix it. Also, what is the deal with case; it seems no matter how careful I was with upper and lower case letter AD did what it wanted and my published CA name looks like I can't figure out hows caps lock works.

Thanks in advance

eburch@lasertel.com

I am trying to follow the documentation with AD RMS and AD FS integration. The TechNet articles, videos, and blogs are all dated. For example,http://technet.microsoft.com/en-us/library/ee256071(v=WS.10).aspx

Even the new posts reference the old ones on this subject - i'm looking for a step-by-step on how these two are integrated.  The UI in ADFS 2012 is different and I don't know AD FS well enough to translate.  I would love a TechNet Lab Guide on these procedures but so much of the new documentation focuses on just the new features. Some help or a link would be appreciated.

TIA

Jason Yates

I just opened up my "Network" node in Windows Explorer and there is an entry there called "login.dotomi.com". I did not add it. Dotomi's website describes itself a marketing company and is apparently owned by AOL.

I did not add this connection and I do not know how to remove it. I am really concerned.

I have reported this site to Microsoft's "Report a website" (Internet Explorer | [wheel] | Safety | Report unsafe website) and I apologize to them if this is not their doing. But before now, I have never visited their site.

1. How can anyone add a site such as this to my network without me knowing?
2. I know we entering a new era of hacking and security concerns, but shouldn't W2K8-R2 protect against this?
3. How can I remove this and prevent this security hole from happening again?

Thanks,
Bob.

Hi all

First time posting here so hopefully someone can help me. I have installed a Windows 2012 R2 Essentials server operating systems on a new HP server.  The server, o/s, domain and Windows 8.1 pcs on the network were all installed from scratch recently (as it is a new company). The server has the event ID 4625 (audit failure - account failed to log on) in the security log on multiple occasions. After hours of researching I have finally found (via a network monitor trace) what I think is the network packet that is related to the event. It is a TLS packet from the Windows 8.1 machines onsite to the server. 

The description of the packet is TLS:TLS Rec Layer -1 Handshake: Certificate. Client Key Exchange. Certificate Verify

The packet makes reference to X509Cert: Issuer: <domain name>-<server name>-<CA>

When we setup the domain - we configured the 2012 Essentials to be a domain controller and just connected the machines to the domain using the server connection wizard (website). We don't have exchange onsite as they use Office 365. We didn't do any configuration with regards Certificates when the server was installed. Everything was left as out of the box.

It is not impacting day to day operations but can anyone explain why this might happen and how to resolve it?

Note: We are now experiencing the same thing at another client site where we just installed a new windows 2012 r2 essentials server. 

Here is the event log information (note the event log does not make any reference to the Windows 8 machine - only the server. The account name in the event properties is the server name with a dollar symbol at the end.)

Hi All, got a 2008 64bit server, copying a 100 GB folder from one disk to another on the same server. And randomly robocopy does not apply NTFS permissions to folders at root level. It leaves them to default.

This is the command I am using:
robocopy "F:\Project1" "H:\Project1" /E /Copy:DATSOU /IS /IT /log:c:\Project.txt /TEE

What could be the issue ?

Folks, is there a way to specify a different CSP (or KSP) when performing a renewal of a CA certificate.  The requirement I have is to move from an older 32-bit CSP to a KSP - whilst there may be some trick approach to doing this using utilities provided by the HSM people, we'd be quite happy to use the renewal process to "manage out" the old CSP.

There doesn't appear to be any opportunity when running the "wizard" to renew the CA certificate... neither is there anything in the CAPolicy.inf.

I was thinking about using certreq, but then I don't know what "magic" that would omit compared to running the renewal with the wizard.

Any ideas? Cheers

I try to use my existing CLM 2007 database in a new FIM CM 2013 R2 SP1 installation.

When I open the web interface, after authentication I get the error

"Database version error. Current database version: 2. Expected version: 103. Database upgrade may be needed."

What did I miss?

Hi,

We have security scanning software which is complaining that the DisableIPSourceRoutingregistry key is missing. I've found plenty of old articles about adding the key and setting it to 2 to stop routing, but also an article saying that routing is disabled by default in 2008 and Vista. I can't find anything more recent than that.

As this key doesn't exist by default in 2012 R2, does that mean that it's now disabled by default and you'd only need to add the key if you wanted to enable it?

Thanks

Gary