AD user account auth failure (x50) every 10 minutes - Security Audit Log Error 4625
Posted by linuxknight@reddit | sysadmin | View on Reddit | 2 comments
I've got a weird one, I've searched and found other people with somewhat similar problems but haven't been able to pinpoint the exact problem completely. Basically I have a handful of domain joined laptop hybrid users that work in and outside of the office. When outside the office they are VPN'ng in to a SonicWall via NetExtender. I've narrowed it down to the moment they connect remotely and the Virtual Ethernet Adapter comes up client side completing the VPN tunnel. At this point and every 10 minutes thereafter their user accounts are getting exactly 50 Security Audit Account Login Failures as follows:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: DOMAINCONTROLLERNAME$
Account Domain: DOMAIN
Logon ID: 0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: USERNAME
Account Domain: DOMAIN
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A
Process Information:
Caller Process ID: 0x368
Caller Process Name: C:\\Windows\\System32\\lsass.exe
Network Information:
Workstation Name: DOMAINCONTROLLERNAME
Source Network Address: GATE.WAY.IP.ADDRESS
Source Port: 38540
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This will generate exactly 50 successive attempt failures in the Event Viewer EVERY 10 minutes while on the VPN. Once they come back to the office, it goes away but the users often find their accounts locked out. I know this is likely something stupid, I'm sure I could adjust the thresholds for lockout values but Id love to understand the problem, Anyone?
Admittedly I've spent entirely too much time on this today for funsies when I should have been building out a clients PBX, but I really didn't want to do the latter today anyway.
lynsix@reddit
Had something similar before. It ended up being a system trying to connect to a printer shared from a server. I’ve also seen SMB shares do similar.
linuxknight@reddit (OP)
I think i found the issue, i beleive it was the wrong domain\username on the imported ldap users into the sonicwall. The auth errors seemed to compound and stack over time? Very bizarre.