Temos dois servidores Windows 2008 R2 SP1 em execução em um cluster de failover do SQL. Em um deles, estamos obtendo os seguintes eventos no log de segurança a cada 30 segundos . As partes que estão em branco estão realmente em branco. Alguém viu problemas semelhantes ou ajuda a rastrear a causa desses eventos? Nenhum outro registro de evento mostra algo relevante que eu possa dizer.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/17/2012 10:02:04 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SERVERNAME.domainname.local
Description:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVERNAME$
Account Domain: DOMAINNAME
Logon ID: 0x3e7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x238
Caller Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: SERVERNAME
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Schannel
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Segundo evento que segue cada um dos eventos acima
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/17/2012 10:02:04 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SERVERNAME.domainname.local
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000006d
Sub Status: 0x80090325
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Schannel
Authentication Package: Microsoft Unified Security Protocol Provider
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
EDITAR ATUALIZAÇÃO: eu tenho um pouco mais de informação para adicionar. Eu instalei o Network Monitor nesta máquina e fiz um filtro para o tráfego do Kerberos e encontrei o seguinte, que corresponde aos timestamps no log de auditoria de segurança.
Um Kerberos AS_Request Nome: CN = SQLInstanceName Reino: domínio.local Sname krbtgt / domain.local
Responder da DC: KRB_ERROR: KDC_ERR_C_PRINCIPAL_UNKOWN
Em seguida, verifiquei os registros de auditoria de segurança do DC que responderam e encontrei o seguinte:
A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: X509N:<S>CN=SQLInstanceName
Supplied Realm Name: domain.local
User ID: NULL SID
Service Information:
Service Name: krbtgt/domain.local
Service ID: NULL SID
Network Information:
Client Address: ::ffff:10.240.42.101
Client Port: 58207
Additional Information:
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: 0xffffffff
Pre-Authentication Type: -
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Portanto, parece estar relacionado a um certificado instalado na máquina SQL, ainda não tem qualquer idéia do porquê ou o que está errado com o referido certificado. Não está expirado, etc.