1

I have an issue with event id 4625. Hope you can help me to fix it. I have a Hyper V Cluster whit 6 hosts(2016). On several of my hosts every day I am found alert "Security-Event ID: 4625". Sometimes the "Source Network Address:" is one of my nodes, and sometimes null.

Example:

Problem started at 19:30:14 on 2021.10.16
Problem name: Event ID4625 alert - Logon Failure
Severity: High
Operational data: An account failed to log on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name:
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0x80090308
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: X.X.X.X (IP address one off nodes from the cluster)
Source Port: 54096
Detailed Authentication Information:
Logon Process:
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

BR Aleksei

Aleksei
  • 11
  • 2

1 Answers1

0

A null SID may occur when the username specified in a logon attempt does not correspond to a valid account.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Greg, thank you for your answer. But, I don't understand what is the reason that NODE003 trying to login to NODE002. – Aleksei Oct 17 '21 at 12:19
  • The source was a process or application on that other node. You would need to review the data on that node to determine which process. – Greg Askew Oct 17 '21 at 13:12
  • i would suggest my powershell script https://github.com/djdomi/Windows-Dos-Batch-Powershell/blob/master/log_security_failed_logon.ps1 if you want a mail about this – djdomi Oct 17 '21 at 17:57