我们有两个运行在SQL故障转移群集中的Windows 2008 R2 SP1服务器。 其中之一,我们每30秒在安全日志中获得以下事件。 空白部分实际上是空白的。 有没有人看到类似的问题,或协助追查这些事件的原因? 没有其他事件日志显示任何相关的东西,我可以告诉。
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/17/2012 10:02:04 PM Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: SERVERNAME.domainname.local Description: An account failed to log on. Subject: Security ID: SYSTEM Account Name: SERVERNAME$ Account Domain: DOMAINNAME Logon ID: 0x3e7 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x238 Caller Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: SERVERNAME Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Schannel Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 以上每个事件之后的第二个事件
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/17/2012 10:02:04 PM Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: SERVERNAME.domainname.local Description: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Account Domain: Failure Information: Failure Reason: An Error occured during Logon. Status: 0xc000006d Sub Status: 0x80090325 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Schannel Authentication Package: Microsoft Unified Security Protocol Provider Transited Services: - Package Name (NTLM only): - Key Length: 0
编辑更新:我有更多的信息添加。 我在这台机器上安装了networking监视器,并对Kerberosstream量进行过滤,发现以下对应于安全审计日志中的时间戳。
Kerberos AS_Request Cname:CN = SQLInstanceName Realm:domain.local Sname krbtgt / domain.local
DC回复:KRB_ERROR:KDC_ERR_C_PRINCIPAL_UNKOWN
然后我检查了回应的DC的安全审核日志,发现以下内容:
A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: X509N:<S>CN=SQLInstanceName Supplied Realm Name: domain.local User ID: NULL SID Service Information: Service Name: krbtgt/domain.local Service ID: NULL SID Network Information: Client Address: ::ffff:10.240.42.101 Client Port: 58207 Additional Information: Ticket Options: 0x40810010 Result Code: 0x6 Ticket Encryption Type: 0xffffffff Pre-Authentication Type: - Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint:
因此,似乎与安装在SQL机器上的证书有关,仍然没有任何线索说明证书的原因或错误。 没有过期等
我使用Microsoftnetworking监视器来查找造成这种情况的stream量,并发现此SQL服务器和我们的AD2服务器之间的stream量。 SQL服务器正在为SQL实例名称的计算机帐户发送一个Kerberos AS_REQ。 AD服务器将以KDC_ERR_C_PRINCIPAL_UNKNOWN响应。 我查看了AD2服务器上的安全日志,发现了以下故障审核:
A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: X509N:<S>CN=SQLInstanceName Supplied Realm Name: domain.local User ID: NULL SID Service Information: Service Name: krbtgt/domain.local Service ID: NULL SID
这似乎是一些证书的要求。 然后,我使用SysInternals进程监视器,并find具有相同时间戳的自定义服务的stream量。 它查询所有的证书商店,没有发现任何东西。
禁用此服务将停止安全事件。