我们在sql故障转移群集中运行了两个
Windows 2008 R2 SP1服务器.在其中一个上,我们每隔30秒就会在安全日志中收到以下事件.空白的部分实际上是空白的.有没有人见过类似的问题,或协助追查这些事件的原因?没有其他事件日志显示我可以告诉的任何相关内容.
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/17/2012 10:02:04 PM Event ID: 4625 Task Category: logon Level: Information Keywords: Audit Failure User: N/A Computer: SERVERNAME.domainname.local Description: An account Failed to log on. Subject: Security ID: SYSTEM Account Name: SERVERNAME$ Account Domain: DOMAINNAME logon ID: 0x3e7 logon Type: 3 Account For Which logon Failed: Security ID: NULL SID Account Name: Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x238 Caller Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: SERVERNAME Source Network Address: - Source Port: - Detailed Authentication Information: logon Process: Schannel Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0
在上述每个事件之后的第二个事件
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/17/2012 10:02:04 PM Event ID: 4625 Task Category: logon Level: Information Keywords: Audit Failure User: N/A Computer: SERVERNAME.domainname.local Description: An account Failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - logon ID: 0x0 logon Type: 3 Account For Which logon Failed: Security ID: NULL SID Account Name: Account Domain: Failure Information: Failure Reason: An Error occured during logon. Status: 0xc000006d Sub Status: 0x80090325 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: logon Process: Schannel Authentication Package: Microsoft Unified Security Protocol Provider Transited Services: - Package Name (NTLM only): - Key Length: 0
编辑更新:我有更多信息要添加.我在这台机器上安装了网络监视器并为Kerberos流量做了一个过滤器,发现以下内容对应于安全审核日志中的时间戳.
Kerberos AS_Request Cname:CN = sqlInstanceName Realm:domain.local Sname krbtgt / domain.local
来自DC的答复:KRB_ERROR:KDC_ERR_C_PRINCIPAL_UNKOWN
然后,我检查了响应的DC的安全审核日志,发现以下内容:
A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: X509N:<S>CN=sqlInstanceName
Supplied Realm Name: domain.local
User ID: NULL SID
Service Information:
Service Name: krbtgt/domain.local
Service ID: NULL SID
Network Information:
Client Address: ::ffff:10.240.42.101
Client Port: 58207
Additional Information:
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: 0xffffffff
Pre-Authentication Type: -
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
所以似乎与安装在sql机器上的证书有关,仍然没有任何线索为什么或所述证书有什么问题.它没有过期等.
我使用Microsoft网络监视器来查找导致此问题的流量,并在此sql服务器和我们的AD2服务器之间找到流量. sql服务器正在为sql实例名称的计算机帐户发送Kerberos AS_REQ. AD服务器将以KDC_ERR_C_PRINCIPAL_UNKNOWN响应.我查看了AD2服务器上的安全日志,发现了如下的失败审核:
原文链接:https://www.f2er.com/windows/366896.htmlA Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: X509N:<S>CN=sqlInstanceName
Supplied Realm Name: domain.local
User ID: NULL SID
Service Information:
Service Name: krbtgt/domain.local
Service ID: NULL SID
这似乎是一些证书请求.然后,我使用了SysInternals Process Monitor,发现来自具有相同时间戳的自定义服务的流量.它正在查询所有证书商店而没有找到任何东西.
禁用此服务将停止安全事件.
