我们在sql故障转移群集中运行了两个
Windows 2008 R2 SP1服务器.在其中一个上,我们每隔30秒就会在安全日志中收到以下事件.空白的部分实际上是空白的.有没有人见过类似的问题,或协助追查这些事件的原因?没有其他事件日志显示我可以告诉的任何相关内容.
- Log Name: Security
- Source: Microsoft-Windows-Security-Auditing
- Date: 10/17/2012 10:02:04 PM
- Event ID: 4625
- Task Category: logon
- Level: Information
- Keywords: Audit Failure
- User: N/A
- Computer: SERVERNAME.domainname.local
- Description:
- An account Failed to log on.
- Subject:
- Security ID: SYSTEM
- Account Name: SERVERNAME$
- Account Domain: DOMAINNAME
- logon ID: 0x3e7
- logon Type: 3
- Account For Which logon Failed:
- Security ID: NULL SID
- Account Name:
- Account Domain:
- Failure Information:
- Failure Reason: Unknown user name or bad password.
- Status: 0xc000006d
- Sub Status: 0xc0000064
- Process Information:
- Caller Process ID: 0x238
- Caller Process Name: C:\Windows\System32\lsass.exe
- Network Information:
- Workstation Name: SERVERNAME
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- logon Process: Schannel
- Authentication Package: Kerberos
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
在上述每个事件之后的第二个事件
- Log Name: Security
- Source: Microsoft-Windows-Security-Auditing
- Date: 10/17/2012 10:02:04 PM
- Event ID: 4625
- Task Category: logon
- Level: Information
- Keywords: Audit Failure
- User: N/A
- Computer: SERVERNAME.domainname.local
- Description:
- An account Failed to log on.
- Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- logon ID: 0x0
- logon Type: 3
- Account For Which logon Failed:
- Security ID: NULL SID
- Account Name:
- Account Domain:
- Failure Information:
- Failure Reason: An Error occured during logon.
- Status: 0xc000006d
- Sub Status: 0x80090325
- Process Information:
- Caller Process ID: 0x0
- Caller Process Name: -
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- logon Process: Schannel
- Authentication Package: Microsoft Unified Security Protocol Provider
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
编辑更新:我有更多信息要添加.我在这台机器上安装了网络监视器并为Kerberos流量做了一个过滤器,发现以下内容对应于安全审核日志中的时间戳.
Kerberos AS_Request Cname:CN = sqlInstanceName Realm:domain.local Sname krbtgt / domain.local
来自DC的答复:KRB_ERROR:KDC_ERR_C_PRINCIPAL_UNKOWN
然后,我检查了响应的DC的安全审核日志,发现以下内容:
- A Kerberos authentication ticket (TGT) was requested.
- Account Information:
- Account Name: X509N:<S>CN=sqlInstanceName
- Supplied Realm Name: domain.local
- User ID: NULL SID
- Service Information:
- Service Name: krbtgt/domain.local
- Service ID: NULL SID
- Network Information:
- Client Address: ::ffff:10.240.42.101
- Client Port: 58207
- Additional Information:
- Ticket Options: 0x40810010
- Result Code: 0x6
- Ticket Encryption Type: 0xffffffff
- Pre-Authentication Type: -
- Certificate Information:
- Certificate Issuer Name:
- Certificate Serial Number:
- Certificate Thumbprint:
所以似乎与安装在sql机器上的证书有关,仍然没有任何线索为什么或所述证书有什么问题.它没有过期等.
我使用Microsoft网络监视器来查找导致此问题的流量,并在此sql服务器和我们的AD2服务器之间找到流量. sql服务器正在为sql实例名称的计算机帐户发送Kerberos AS_REQ. AD服务器将以KDC_ERR_C_PRINCIPAL_UNKNOWN响应.我查看了AD2服务器上的安全日志,发现了如下的失败审核:
- A Kerberos authentication ticket (TGT) was requested.
- Account Information:
- Account Name: X509N:<S>CN=sqlInstanceName
- Supplied Realm Name: domain.local
- User ID: NULL SID
- Service Information:
- Service Name: krbtgt/domain.local
- Service ID: NULL SID
这似乎是一些证书请求.然后,我使用了SysInternals Process Monitor,发现来自具有相同时间戳的自定义服务的流量.它正在查询所有证书商店而没有找到任何东西.
禁用此服务将停止安全事件.
