Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Null SID, Unknown user name or bad password & Event ID 4625

September 15, 2016, 12:40 pm
$
0
0

We are experiencing multiple (30 or so a day at intervals) logon failure alerts for a particular server, but no user name is listed. Looking at this server, we can find no service account not using the proper credentials, cached credentials or scheduled tasks that are running. We will get 8 or 9 alerts at once, then nothing for an hour or so followed by the same alerts. Really having a hard time running this issue down and fixing it.   I've included what logs I could gather from our domain controller and from the reported server below.  Just as an FYI, the initial email alert comes from our SolarWinds LEM.  Thanks!

INITIAL EMAIL ALERT

logon failure "\" at 2016-09-15 12:49:40.0 from Server1 on DC Server1.DOMAIN.LOCAL

Lockout Reason:  unknown user name or bad password.

SECURITY EVENT LOG FROM <DomainController> (EVENT ID 4768)

A Kerberos authentication ticket (TGT) was requested.

Account Information:
 Account Name:  X509N:<S>CN=Server1WebClient
 Supplied Realm Name: DOMAIN.LOCAL
 User ID:   NULL SID

Service Information:
 Service Name:  krbtgt/DOMAIN.LOCAL
 Service ID:  NULL SID

Network Information:
 Client Address:  ::ffff:<x.x.x.50>
 Client Port:  56842

Additional Information:
 Ticket Options:  0x40810010
 Result Code:  0x6
 Ticket Encryption Type: 0xffffffff
 Pre-Authentication Type: -

Certificate Information:
 Certificate Issuer Name:  
 Certificate Serial Number: 
 Certificate Thumbprint:  

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

SECURITY EVENT LOG FROM Server1 (EVENT ID 4625)

An account failed to log on.

Subject:
 Security ID:  SYSTEM
 Account Name:  Server1$
 Account Domain:  Domain
 Logon ID:  0x3e7

Logon Type:   3

Account For Which Logon Failed:
 Security ID:  NULL SID
 Account Name:  
 Account Domain:  

Failure Information:
 Failure Reason:  Unknown user name or bad password.
 Status:   0xc000006d
 Sub Status:  0xc0000064

Process Information:
 Caller Process ID: 0x264
 Caller Process Name: C:\Windows\System32\lsass.exe

Network Information:
 Workstation Name: Server1
 Source Network Address: -
 Source Port:  -

Detailed Authentication Information:
 Logon Process:  Schannel
 Authentication Package: Kerberos
 Transited Services: -
 Package Name (NTLM only): -
 Key Length:  0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
 - Transited services indicate which intermediate services have participated in this logon request.
 - Package name indicates which sub-protocol was used among the NTLM protocols.
 - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Search

Limiting Dynamic RPC Ports

May 31, 2013, 12:32 am
$
0
0

Hello!  Regarding the dynamic RPC port range, what is the recommended/safe RPC port range to use with hardware firewalls for workstations and servers?  And how can I ensure that I am not exhausting the port range?

We have a department that is behind a hardware firewall that is managed by our security team.  The security team has opened up the firewall for things that use dedicated ports like SMB (port 445), RPC EndPoint Mapper (port 135), etc from our management server.  However, they have only opened a limited set of ports in the dynamic RPC range: 1024-1123 (99 ports) and 49152-49161 (9 ports).  With this configuration, when I attempt to run the Group Policy RSoP from our W2K8r2 management server against a remote Windows XP computer, I get a failure.  The security team was willing to add an exception for the single port that was blocked (port 1282) and this allowed RSoP to work for one round.  However, when I later tried to gather another set of RSoP data, it got blocked again on port 1477.

I’ve been told by the security team that they will not open the firewall to allow the entire dynamic ranges (1025-5000 and 49152-65535).  They have suggested that I limit the number of RPC ports that are used on the workstation.  However, I haven’t been able to find any good resources on what a “safe” dynamic RPC range is, since I’ve read that it depends on what services are run.  I’d like to avoid potential problems in the future with the workstations, so any advice would be appreciated.  Alternatively, if restricting the dynamic RPC port range is not realistic/practical, please let me know if you have any resources that I can cite.

Thanks!

I need rename 500 user logon name and sAMAccountName in the domain

September 20, 2016, 4:53 pm
$
0
0

Hi,

I need rename 500 user logon name and sAMAccountName in the domain.  I think a script to read the old data and then change it to the new user logon and sAMAccountName which will be available in a CSV file. Column A is old user logon , column B is new user logon and C is new samaccountname.

Thanks

Ariel


Remote desktop session logged off immediately after login

September 9, 2016, 8:45 pm
$
0
0

Hi,

All users immediately log off  immediately after login, even Administrator can not login through RDP.

So every day in morning i restart server and its work.

This is aterminal server.

Windows server 2008 r2.

Thanks, Manish

AD Replication Corruption

September 21, 2016, 8:11 am
$
0
0

We have an environment with 3 active directory controllers. In the event that one of the controllers goes down while AD is replicating/synchronizing, is it possible that it can corrupt the other remaining controllers or is the process smart enough not to commit the changes due to not being complete?

TIA

Issue EFS certificate for user account from windows 2008 R2 Domain Controllers

September 21, 2016, 9:12 am
$
0
0

Hi,

I have two stage domain controller where in One I have installed Active Directory Certificate services. Now one of the user has requested to issue Encrypted File System Certificate for the account . Can anyone please let me know how to configure that ?

Also is it possible to install Active Directory Certificate services role in second Domain Controller also as a Enterprise Root CA ?

Please clarify.


Hide disabled users from GAL

September 21, 2016, 9:22 pm
$
0
0
Hi all, 

I have a list of disabled users on exchange as well ad AD 

They are still appearing in GAL 

i need to know how to hide them from GAL. 

Regards, 
Thads

tfernandes

Web Application Proxy EdgeAccessCookie And Non-claims-aware Web App timeout = Max 1 hour

September 22, 2016, 2:01 am
$
0
0

Hi. I'm having a timeout issue with a non-claims aware web app. i Installed this fix (https://support.microsoft.com/en-us/kb/3020773) and can now set the PersistentAccessCookieExpirationTimeSec  to 36000 seconds (10h) but the session expires after 1. I can see in chrome cookie manager that the cookie is set to 1 hour.

you cannot set anything on the web app in ADFS since this is a non-claims-aware relyingparty trust so no tokenliftime. if you guys have any idea about how to set the edge cookie to more than 1 hour that would be great. by the way I can decrease to less than 1 hour and it works but cannot go beyond one hour.


Search

Kerberos Authentication Service

September 21, 2016, 12:10 am
$
0
0

Hi

recently I noticed in the event viewer that I am receiving this message from all active directory even though that the user is not logging in to that server.  btw this is my admin user and i am able to use it in any of our server.

It is sound strange to me that my server is receiving this alert from all my AD server

Kerberos pre-authentication failed.


Account Information:
Security ID: DOMAIN\Admin
Account Name: Admin

Service Information:
Service Name: krbtgt/DOMAIN

Network Information:
Client Address:::1
Client Port: 0

Additional Information:
Ticket Options:0x40810010
Failure Code: 0x18
Pre-Authentication Type:2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.


The default NetBIOS domain name 'SERVERNAME20' was selected due to name conflict...

September 20, 2016, 10:55 pm
$
0
0

Hi.

Good Day.

We have an Windows 2008 R2 with Active Directory installed in our office. I created a secondary domain server or a new domain in an existing forest.  I used "SERVERNAME2" as Single-label DNS name of the child domain. One day, we decided to full out the "SERVERNAME2" unit for other purposes.

I installed a new Windows 2008 R2 in other machine and create this a new domain in an existing forest. The problem, I want to use the same name "SERVERNAME2" as Single-lable DNS name but the Active Directory Domain Services Installation Wizard's pop up with the message "The default NetBIOS domain name "SERVERNAME20" was selected due to name conflicts on the network.

Please help. I want to use the same Single-label DNS name.

Thank you.

JollandC




Old Certificates Appear as Default in the Address Book

September 14, 2016, 6:46 am
$
0
0

First off, I originally posted this question in an Exchange forum and received a reply from the moderator that leads me to think this might be an Active Directory issue.

Second, I am not an AD administrator.  When I have posed this question to our AD administator, I have gotten the brush off.  I am posting this message in the hopes of receiving some objective opinions.

Finally, I am not trying to solve an existing technical issue.  I am simply trying to collect more information so that I can gain a better understanding of email encryption issues.

Recently, I have seen three cases were a user was having email encryption problems, and in all three cases the issue was caused by an expired default certificate in the address book.  In all three cases:

  • The user had one valid certificate listed in AD.
  • I opened MMC on the client machine and added the Certificates snap-in, and found only one certificate installed on the machine, and it matched the certificate listed in AD.
  • I looked up the user in the address book, did a right-click > Add to Contacts > Certificates button on the ribbon, and found that the default certificate listed for the user was expired.

In one case, the default certificate listed in the address book expired in 2012.  If that expired certificate is not in AD, and it's not installed on the client machine, then where is it coming from?  It has to be coming from somewhere. 

Is it possible that AD is holding on to old certificate information in a location that is not visible through ADUC?  If so, is it possible to clear out old certificate information?

Thanks in advance for any help that you can offer!

--Tom

Problems Changing Domain Password

September 22, 2016, 5:12 am
$
0
0

Hello Everyone,

I am experiencing a strange issue that I have spent the last month trying to fix. I've gotten fairly far with it but now I've hit a roadblock. Any time someone on the domain changes a password, they get an error "The security database on the server does not have a computer account for this workstation trust relationship.". Below are steps I've taken to try to rectify the problem and the results.

1. There was a conflicting Group policy that I removed from Group Policy.

2. Checked and removed update KB3126593 from servers and workstations.

3. Installed update KB3140410 which was supposed to fix the problem.

4. Removed and rejoined the domain.

5. Removed Duplicated SPN's from network. After I did that, I was able to change my password and was able to change password on several workstations.

Now, I'm having the same issue with the same error but when I reboot the computer, I am able to change the password but as the computer is on for a day and I try to change my password, I get the "The security database on the server does not have a computer account for this workstation trust relationship." I'm not sure that this would be an AD issue but I'm not sure where to put it in the forums.

Any help would be greatly appreciated.

Mike

Mike Conley

Event ID: 5719 using 2 network adapters (different ip's")

September 1, 2016, 2:38 am
$
0
0

Hi Technet.

We have a L3 security environment where i have to connect a server 2003 to a second network in order for me to start the migration process to a new host - (vmware services on a separate network)

This is a sql 2000 server running server 2003 r2 ent. (Migrating to server 2008r2 sql 2012) 

Our services network is on a x.x.234.x (inc domain controller x.x.234.50)

Our production network is x.x.235.x (primary for that server) the firewall routes to DNS server on the .234 network.

subnet 255.255.255.128 (both) 

Inorder for me to start the migration i need the 2003 server connected on the services network .234

I have disabled "register this connection dresses in dns" on the .234 adapter.

But within 32H we get a authentication failure.

Event Type:        Error

Event Source:    NETLOGON

Event Category:                None

Event ID:              5719

Date:                     8/30/2016

Time:                     8:53:46 PM

User:                     N/A

Computer:          servername

Description:

This computer was not able to set up a secure session with a domain controller in domain domain due to the following:

There are currently no logon servers available to service the logon request. 

This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

 

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

 

For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.

Data:

0000: 5e 00 00 c0         

If we remove the 234 network, the system works fine.

We have other server E.G "orical" running with the same configuration that is working fine with the 2 network adapters 235 and 234 networks.

Any ideas will be appreciated.

TX


 

DNS forwarding

September 22, 2016, 6:10 am
$
0
0

Hi,

I am new to this DNS field.

We from ABC.com domain doing a forward to another company domain XYZ.com. We have hooked up to their DNS server meant for our company with limited defined forwards using XYZ defined network connectivity. This is forwarding based on domain and not individual URL.

Now, we want to access some sites of int.XYZ.com over the internet, but my forwarder is forwarding all the traffic to XYZ.com through his defined connectivity and not searching the open internet.

Is there a possibility of placing some exceptional rule to this forwarder over the net to access int.XYZ.com over the internet.

Thanks.

AD Subnets

September 22, 2016, 5:40 am
$
0
0

Hi! I want to use  AD subnets for automatic movement computers to right OU, and i need to set additional Subnet attribute to synchronization with monitoring system. For instance attribute "AdminDisplayName". 



Now i need to write that attribute for more than 200 subnets. And it would be great if i could use Powershell, but Powershell didn't show me that attribute. I tried to use ADSI and Get-ADObject

ADSI:

Get-ADObject:

Knows some one how it can done with Powershell?


Search

Change Username Displayed at Logon from sAMAccountName to userPrincipalName / Email

July 23, 2015, 3:10 pm
$
0
0

Hi,

This is related to WebsitePanel, but I guess the configuration changes are in AD for this issue, so I hope you can help me out...

In WebsitePanel, when a Username Format is configured with OrgID, when creating an AD user, it creates it with '_domain.com' (the domain of that organization). So for example, if I have an organization/customer called ABC, with the domain 'abc.com', when I create a user called Avi, it will create it as 'Avi_abc.com'

That's not critical, as the user logon is configured with his email/userPrincipalName (with UPN Suffix), so it uses email and password to login to AD.

My problem is that when the user log-on to his computer (or a server) the username displayed on the screen is the sAMAccountName which is 'DOMAIN\Avi_abc.com' (see attached screenshot) and I would like it to display the email address / userPrincipalName which is 'Avi@abc.com'.

Is it possible to change/configure in Active Directory?

Thanks!

Domain users unable to change password with Net User

September 22, 2016, 5:50 am
$
0
0

My environment is predominately Server 2008 R2, I have application Admins that are unable to use net user to change their own passwords from an elevated command line. I have checked their permissions and they have both reset and change permissions to their User Object.

Using "net user [username] * /domain" they still get access denied, it works if I give them full control. Is there a permission I am missing aside from Change and Reset? I feel like I am missing something very silly here.

Edit: Password Policy is as follows:

Enforce Password History 24

Maximum Password Age 60

Minimum Password Age 1

Minimum password length 14

Password must meet complexity requirements Enabled

Store Passwords using reversible encryption Disabled

No FGPP


Only allow Admins Read permissions in ADUC

September 19, 2016, 6:53 am
$
0
0
Is there a way to give administrators who are not members of the Domain Admins Group read only permissions to all OUs in ADUC?

How to query users activity in the domain

September 14, 2016, 6:51 am
$
0
0
Hi,

I would like to know if there is a way to query users logon and logout activity.

 

For example.

 

Can I see when and which users were logged in to the domain, on which client and for how long they were connected until they logged out?

 

Thanks,

Hadar

Replacing AD server after failure

September 22, 2016, 8:45 am
$
0
0

We have two sites - one with two DCs (working fine) and the other with only one DC.  The single DC site had a server failure and have lost all of our virtual servers (including the DC ).  All DCs are 2008 R2.

I am happy to rebuild the domain controller, ideally I would give it the same name as the original.  If I just recreate a new server, with the same name and IP will this cause me a problem?  AD will not be aware that I have lost these servers.  Not sure if I need to remove the DC from AD and then start again - my concern with this would be that I would be removing the only DC in the site, even temporarily and am not sure the system would allow me?

Many thanks for you advice


Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>