Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4813
Views
0
Helpful
1
Replies

S160 WSA Active Directory audit failures on DC

keithsauer507
Level 5
Level 5

‎12-21-2012 05:15 AM

Our S160 is pointed to 2 Windows Server 2008 R2 Domain Controllers under edit relam > NTLM Authentication Realm.  The appliance is joined to the domain here and enable transparent user id using AD Agent is also on and that agent is on a 3rd 2008 R2 member server.  Client Signing is required.

Under test current settings, Ironport passes all tests.

On my both domain controllers I see an audit failure though under the security event logs

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          12/21/2012 8:05:36 AM

Event ID:      4776

Task Category: Credential Validation

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      DCNAME.ourdomain.com

Description:

The computer attempted to validate the credentials for an account.

Authentication Package:          MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon Account:          WEBFILTER$

Source Workstation:          DCNAME

Error Code:          0xc0000199

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

    <EventID>4776</EventID>

    <Version>0</Version>

    <Level>0</Level>

    <Task>14336</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8010000000000000</Keywords>

    <TimeCreated SystemTime="2012-12-21T13:05:36.595097500Z" />

    <EventRecordID>4668215</EventRecordID>

    <Correlation />

    <Execution ProcessID="468" ThreadID="1720" />

    <Channel>Security</Channel>

    <Computer>DCNAME.ourdomain.com</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>

    <Data Name="TargetUserName">WEBFILTER$</Data>

    <Data Name="Workstation">DCNAME</Data>

    <Data Name="Status">0xc0000199</Data>

  </EventData>

</Event>

Followed by:

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          12/21/2012 8:05:37 AM

Event ID:      4625

Task Category: Logon

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      dcname.ourdomain.com

Description:

An account failed to log on.

Subject:

Security ID:                    SYSTEM

Account Name: DCNAME$

Account Domain:                    OURDOMAIN

Logon ID:                    0x3e7

Logon Type:                              3

Account For Which Logon Failed:

Security ID:                    NULL SID

Account Name:                    WEBFILTER$

Account Domain:                    OURDOMAIN

Failure Information:

Failure Reason:                    An Error occured during Logon.

Status:                              0xc0000199

Sub Status:                    0x0

Process Information:

Caller Process ID:          0x1ec

Caller Process Name:          C:\Windows\System32\lsass.exe

Network Information:

Workstation Name:          DCNAME

Source Network Address:          10.1.0.4

Source Port:                    54830

Detailed Authentication Information:

Logon Process:                    Advapi 

Authentication Package:          MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Transited Services:          -

Package Name (NTLM only):          -

Key Length:                    0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

- Transited services indicate which intermediate services have participated in this logon request.

- Package name indicates which sub-protocol was used among the NTLM protocols.

- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

    <EventID>4625</EventID>

    <Version>0</Version>

    <Level>0</Level>

    <Task>12544</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8010000000000000</Keywords>

    <TimeCreated SystemTime="2012-12-21T13:05:37.397392800Z" />

    <EventRecordID>193248710</EventRecordID>

    <Correlation />

    <Execution ProcessID="492" ThreadID="1272" />

    <Channel>Security</Channel>

    <Computer>DCNAME.ourdomain.com</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="SubjectUserSid">S-1-5-18</Data>

    <Data Name="SubjectUserName">DCNAME$</Data>

    <Data Name="SubjectDomainName">OURDOMAIN</Data>

    <Data Name="SubjectLogonId">0x3e7</Data>

    <Data Name="TargetUserSid">S-1-0-0</Data>

    <Data Name="TargetUserName">WEBFILTER$</Data>

    <Data Name="TargetDomainName">OURDOMAIN</Data>

    <Data Name="Status">0xc0000199</Data>

    <Data Name="FailureReason">%%2304</Data>

    <Data Name="SubStatus">0x0</Data>

    <Data Name="LogonType">3</Data>

    <Data Name="LogonProcessName">Advapi  </Data>

    <Data Name="AuthenticationPackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>

    <Data Name="WorkstationName">DCNAME</Data>

    <Data Name="TransmittedServices">-</Data>

    <Data Name="LmPackageName">-</Data>

    <Data Name="KeyLength">0</Data>

    <Data Name="ProcessId">0x1ec</Data>

    <Data Name="ProcessName">C:\Windows\System32\lsass.exe</Data>

    <Data Name="IpAddress">10.1.0.4</Data>

    <Data Name="IpPort">54830</Data>

  </EventData>

</Event>

Is this something to be concerned about?

2 people had this problem
Labels:
0 Helpful
1 Reply 1

keithsauer507
Level 5
Level 5

‎12-21-2012 05:30 AM

Found the error code specified in the status field for Event ID 4625 is this:

0xC0000199
STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

The account used is a computer account. Use your global user account or local user account to access this server.

Source: http://msdn.microsoft.com/en-us/library/cc704588.aspx

However how would you inform the WSA to log on correctly?  But the filtering seems to work fine still. I logged into a test machine as a limited user and was not able to get to some sites that they shouldn't be able to reach.  Log in as me (an admin) and I can get to those sites.  So the WSA is correctly altering Internet access based on the AD User logged in.  Perhaps that is the role of the AD Agent that I also have configured. 

So is this Event ID something I can ignore or can I make some configuration adjustments so I do not have to see this audit failure anymore?  Or is it a legitimate known audit failure that is OK?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents