Hi all
First time posting here so hopefully someone can help me. I have installed a Windows 2012 R2 Essentials server operating systems on a new HP server. The server, o/s, domain and Windows 8.1 pcs on the network were all installed from scratch recently (as it is a new company). The server has the event ID 4625 (audit failure - account failed to log on) in the security log on multiple occasions. After hours of researching I have finally found (via a network monitor trace) what I think is the network packet that is related to the event. It is a TLS packet from the Windows 8.1 machines onsite to the server.
The description of the packet is TLS:TLS Rec Layer -1 Handshake: Certificate. Client Key Exchange. Certificate Verify
The packet makes reference to X509Cert: Issuer: <domain name>-<server name>-<CA>
When we setup the domain - we configured the 2012 Essentials to be a domain controller and just connected the machines to the domain using the server connection wizard (website). We don't have exchange onsite as they use Office 365. We didn't do any configuration with regards Certificates when the server was installed. Everything was left as out of the box.
It is not impacting day to day operations but can anyone explain why this might happen and how to resolve it?
Note: We are now experiencing the same thing at another client site where we just installed a new windows 2012 r2 essentials server.
Here is the event log information (note the event log does not make any reference to the Windows 8 machine - only the server. The account name in the event properties is the server name with a dollar symbol at the end.)
Log Name: SecuritySource: Microsoft-Windows-Security-Auditing
Date: 25/06/2014 00:00:02
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Servername.domainname.local
Description:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVERNAME$
Account Domain:DomainName
Logon ID: 0x3E7
Logon Type:3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason:Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID:0x258
Caller Process Name:C:\Windows\System32\lsass.exe
Network Information:
Workstation Name:SERVERNAME
Source Network Address:-
Source Port: -
Detailed Authentication Information:
Logon Process:Schannel
Authentication Package:Kerberos
Transited Services:-
Package Name (NTLM only):-
Key Length: 0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2014-06-24T23:00:02.024083500Z" />
<EventRecordID>6723875</EventRecordID>
<Correlation />
<Execution ProcessID="600" ThreadID="8336" />
<Channel>Security</Channel>
<Computer>Servername.DomainName.local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">ServerName$</Data>
<Data Name="SubjectDomainName">DomainName</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">
</Data>
<Data Name="TargetDomainName">
</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc0000064</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Schannel</Data>
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="WorkstationName">SERVERNAME</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x258</Data>
<Data Name="ProcessName">C:\Windows\System32\lsass.exe</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>