we have a Palo Alto networks PA-2020 firewall that has a ssl vpn global protect feature that we use. We have been noticing that at random times when people try and logon remotely using the global protect client that people are unable to be authenticated and denied access. i looked in the event viewer for my DC where i have IAS radius authentication setup and i see two events during these times:
Event ID: 529
date: 4/2/2013 source: security time 08:23:22pm category: Logon/Logoff Type: Failure Audit Event ID: 675 User: NT AUTHORITY\SYSTEM computer: SERVDC1
Logon Failure:
Reason: Unknown user name or bad password
User Name: usera
Domain: COMPDOM
Logon Type: 3
Logon Process: IAS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:
Caller User Name: SERVDC1$
Caller Domain: COMPDOM
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 944
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event id: 680
date: 4/2/2013 source: security time 8:23:23pm category: Account Logon Type: Failure Audit Event ID: 675 User: NT AUTHORITY\SYSTEM computer: SERVDC1
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: usera
Source Workstation:
Error Code: 0xC000006A
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
That same user who was unable to logon last night tried again this morning and said she was able to logon using the global protect client. She swears she was using the correct username and password last night. i have had other users complain that they have been unable to authenticate to get logged in as well.
Any ideas as two why this would randomly occur preventing access but work fine other times? I also have a tone of these other event logs as well. not sure if they are pertaining to the same problem or something different.
event id: 680
date: 4/2/2013 source: security time 11:10:09pm category: Account Login Type: Failure Audit Event ID: 675 User: NT AUTHORITY\SYSTEM computer: SERVDC1
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: @
Source Workstation: \\SERVSQL2
Error Code: 0xC0000064
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
event id: 680
date: 4/2/2013 source: security time: 11:05:34pm category: Account Login Type: Failure Audit Event ID: 680 User: NT AUTHORITY\SYSTEM computer: SERVDC1
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: @
Source Workstation: \\SERVFS2 (my other domain controller)
Error Code: 0xC0000064
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
event id: 675
date: 4/2/2013 source: security time 11:10:09pm category: Account Login Type: Failure Audit Event ID: 675 User: NT AUTHORITY\SYSTEM computer: SERVDC1
Pre-authentication failed:
User Name: ABCPRINT01W764$
User ID: COMPDOM\ABCPRINT01W764$
Service Name: krbtgt/COMPDOM.COM
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.0.30.39
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.