我們有兩台 Windows 2008 R2 SP1 伺服器在 SQL 故障轉移叢集中運作。在其中之一上,我們在安全日誌中收到以下事件每 30 秒。空白的部分其實是空白的。有沒有人看過類似的問題,或協助追蹤這些事件的原因?據我所知,沒有其他事件日誌顯示任何相關內容。
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/17/2012 10:02:04 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SERVERNAME.domainname.local
Description:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVERNAME$
Account Domain: DOMAINNAME
Logon ID: 0x3e7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x238
Caller Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: SERVERNAME
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Schannel
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
上述每個事件之後的第二個事件
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/17/2012 10:02:04 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SERVERNAME.domainname.local
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000006d
Sub Status: 0x80090325
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Schannel
Authentication Package: Microsoft Unified Security Protocol Provider
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
編輯更新: 我還有一些資訊要補充。我在這台電腦上安裝了網路監視器,並對 Kerberos 流量進行了過濾,發現以下內容與安全審核日誌中的時間戳記相對應。
Kerberos AS_Request Cname:CN=SQLInstanceName 領域:domain.local Sname krbtgt/domain.local
DC 回覆:KRB_ERROR:KDC_ERR_C_PRINCIPAL_UNKOWN
然後我檢查了回應的 DC 的安全審核日誌,發現以下內容:
A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: X509N:<S>CN=SQLInstanceName
Supplied Realm Name: domain.local
User ID: NULL SID
Service Information:
Service Name: krbtgt/domain.local
Service ID: NULL SID
Network Information:
Client Address: ::ffff:10.240.42.101
Client Port: 58207
Additional Information:
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: 0xffffffff
Pre-Authentication Type: -
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
因此似乎與 SQL 電腦上安裝的憑證有關,但仍然不知道該憑證為何或有什麼問題。沒有過期之類的。
答案1
我使用 Microsoft Network Monitor 來尋找導致此問題的流量,並發現此 SQL 伺服器和我們的 AD2 伺服器之間的流量。 SQL 伺服器正在為 SQL 實例名稱的電腦帳戶傳送 Kerberos AS_REQ。 AD 伺服器將回應 KDC_ERR_C_PRINCIPAL_UNKNOWN。我查看了 AD2 伺服器上的安全性日誌,發現如下所示的故障審核:
A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: X509N:<S>CN=SQLInstanceName
Supplied Realm Name: domain.local
User ID: NULL SID
Service Information:
Service Name: krbtgt/domain.local
Service ID: NULL SID
這似乎是一些證書請求。然後,我使用 SysInternals Process Monitor 並發現來自具有相同時間戳記的自訂服務的流量。它正在查詢所有證書存儲,但沒有找到任何內容。
停用此服務將停止安全事件。