AD user account auth failure (x50) every 10 minutes - Security Audit Log Error 4625

Posted by linuxknight@reddit | sysadmin | View on Reddit | 2 comments

I've got a weird one, I've searched and found other people with somewhat similar problems but haven't been able to pinpoint the exact problem completely. Basically I have a handful of domain joined laptop hybrid users that work in and outside of the office. When outside the office they are VPN'ng in to a SonicWall via NetExtender. I've narrowed it down to the moment they connect remotely and the Virtual Ethernet Adapter comes up client side completing the VPN tunnel. At this point and every 10 minutes thereafter their user accounts are getting exactly 50 Security Audit Account Login Failures as follows:

An account failed to log on.

Subject:

Security ID:        SYSTEM

Account Name:       DOMAINCONTROLLERNAME$

Account Domain:     DOMAIN

Logon ID:       0x3E7

Logon Type: 3

Account For Which Logon Failed:

Security ID:        NULL SID

Account Name:       USERNAME

Account Domain:     DOMAIN

Failure Information:

Failure Reason:     Unknown user name or bad password.

Status:         0xC000006D

Sub Status:     0xC000006A

Process Information:

Caller Process ID:  0x368

Caller Process Name:    C:\\Windows\\System32\\lsass.exe

Network Information:

Workstation Name:   DOMAINCONTROLLERNAME

Source Network Address: GATE.WAY.IP.ADDRESS

Source Port:        38540

Detailed Authentication Information:

Logon Process:      Advapi

Authentication Package: MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0

Transited Services: -

Package Name (NTLM only):   -

Key Length:     0

This will generate exactly 50 successive attempt failures in the Event Viewer EVERY 10 minutes while on the VPN. Once they come back to the office, it goes away but the users often find their accounts locked out. I know this is likely something stupid, I'm sure I could adjust the thresholds for lockout values but Id love to understand the problem, Anyone?

Admittedly I've spent entirely too much time on this today for funsies when I should have been building out a clients PBX, but I really didn't want to do the latter today anyway.