我们在sql故障转移群集中运行了两个
Windows 2008 R2 SP1服务器.在其中一个上,我们每隔30秒就会在安全日志中收到以下事件.空白的部分实际上是空白的.有没有人见过类似的问题,或协助追查这些事件的原因?没有其他事件日志显示我可以告诉的任何相关内容.
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/17/2012 10:02:04 PM Event ID: 4625 Task Category: logon Level: information Keywords: Audit Failure User: N/A Computer: SERVERNAME.domainname.local Description: An account Failed to log on. Subject: Security ID: SYstem Account Name: SERVERNAME$ Account Domain: DOMAINNAME logon ID: 0x3e7 logon Type: 3 Account For Which logon Failed: Security ID: NULL SID Account Name: Account Domain: Failure information: Failure Reason: UnkNown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process information: Caller Process ID: 0x238 Caller Process Name: C:\Windows\System32\lsass.exe Network information: Workstation Name: SERVERNAME Source Network Address: - Source Port: - Detailed Authentication information: logon Process: Schannel Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0
在上述每个事件之后的第二个事件
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/17/2012 10:02:04 PM Event ID: 4625 Task Category: logon Level: information Keywords: Audit Failure User: N/A Computer: SERVERNAME.domainname.local Description: An account Failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - logon ID: 0x0 logon Type: 3 Account For Which logon Failed: Security ID: NULL SID Account Name: Account Domain: Failure information: Failure Reason: An Error occured during logon. Status: 0xc000006d Sub Status: 0x80090325 Process information: Caller Process ID: 0x0 Caller Process Name: - Network information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication information: logon Process: Schannel Authentication Package: Microsoft Unified Security Protocol Provider Transited Services: - Package Name (NTLM only): - Key Length: 0
编辑更新:我有更多信息要添加.我在这台机器上安装了网络监视器并为Kerberos流量做了一个过滤器,发现以下内容对应于安全审核日志中的时间戳.
Kerberos AS_Request Cname:CN = sqlInstanceName Realm:domain.local Sname krbtgt / domain.local
来自DC的答复:KRB_ERROR:KDC_ERR_C_PRINCIPAL_UNKOWN
然后,我检查了响应的DC的安全审核日志,发现以下内容:
A Kerberos authentication ticket (TGT) was requested. Account information: Account Name: X509N:<S>CN=sqlInstanceName Supplied Realm Name: domain.local User ID: NULL SID Service information: Service Name: krbtgt/domain.local Service ID: NULL SID Network information: Client Address: ::ffff:10.240.42.101 Client Port: 58207 Additional information: Ticket Options: 0x40810010 Result Code: 0x6 Ticket Encryption Type: 0xffffffff Pre-Authentication Type: - Certificate information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint:
所以似乎与安装在sql机器上的证书有关,仍然没有任何线索为什么或所述证书有什么问题.它没有过期等.
我使用Microsoft网络监视器来查找导致此问题的流量,并在此sql服务器和我们的AD2服务器之间找到流量. sql服务器正在为sql实例名称的计算机帐户发送Kerberos AS_REQ. AD服务器将以KDC_ERR_C_PRINCIPAL_UNKNowN响应.我查看了AD2服务器上的安全日志,发现了如下的失败审核:
A Kerberos authentication ticket (TGT) was requested. Account information: Account Name: X509N:<S>CN=sqlInstanceName Supplied Realm Name: domain.local User ID: NULL SID Service information: Service Name: krbtgt/domain.local Service ID: NULL SID
这似乎是一些证书请求.然后,我使用了SysInternals Process Monitor,发现来自具有相同时间戳的自定义服务的流量.它正在查询所有证书商店而没有找到任何东西.
禁用此服务将停止安全事件.
原文地址:https://www.jb51.cc/windows/366896.html
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。