Bad Hyper-V username logon attempt - Cluster Computer Account

Anthony Green 21 Reputation points
2023-06-02T02:13:06.42+00:00

We are getting some Errors in the Event Logs on our Windows Failover Clusters.

We have two Clusters, one Server 2016 (two nodes) and the other Server 2019 (three nodes). This Event happens on Hosts in both clusters.

4625 Microsoft-Windows-Security-Auditing Event Description: An account failed to log on. Failure Reason: Unknown user name or bad password. Account Name: Cluster$ Account Domain: domain.local

The Account Name is the Computer account for the Cluster, which I don't recall ever setting a password for (I think it's created automatically when setting up the Failover Cluster.)

The cluster seems to be running OK, so I'm not sure if this is a problem that I need to be concerned about.

Though the Red errors in our monitoring dashboards really annoy our CEO/CIO.

I seem to recall that account being created automatically during the Failover Cluster set-up (around four years ago), and that the password was auto-generated.

Should I be updating the password? If so, can I do it without breaking the cluster?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,207 questions
Hyper-V
Hyper-V
A Windows technology providing a hypervisor-based virtualization solution enabling customers to consolidate workloads onto a single server.
2,560 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Justin King 5 Reputation points
    2023-10-18T11:41:55.8933333+00:00

    Hi Anthony!

    I had this exact problem and came across your post. I have followed this article to repair the permissions on the computer objects in AD that get created when you set up the cluster. It seems to have solved my issues!

    It was very fast to do so hopefully in your produciton environment the downtime is minimal but you do have to take the cluster reqources offline in order to do the repair.

    In my case I had to do this on the cluster name and the 2 server names associated with the 2 roles I had in the cluster.

    You must right click the server name and choose offline. Then you are able to right click again and choose More Actions > Repair

    Once you click Repair it happens fast. Less than a second then the resource gets automatically started again.

    Good luck, hope this help you.

    Justin

    1 person found this answer helpful.
  2. Limitless Technology 43,966 Reputation points
    2023-06-02T12:31:48.2766667+00:00

    Hello Anthony,

    Thank you for your question and for reaching out with your question today.

    This article may shed some light on the solution for you by helping you to interpret the error message:

    https://learn.microsoft.com/windows/security/threat-protection/auditing/event-4625

    I would not change the password without fully assessing the possible impact. If you do decide to change it, you should ensure it's out of hours with minimal potential impact to business.

    If the reply was helpful, please don’t forget to upvote or accept as answer.

    Best regards.

    0 comments
  3. Limitless Technology 43,966 Reputation points
    2023-06-02T12:32:11.17+00:00

    Double post

    0 comments
  4. Limitless Technology 43,966 Reputation points
    2023-06-02T12:32:36.2+00:00

    Hello Anthony,

    Thank you for your question and for reaching out with your question today.

    This article may shed some light on the solution for you by helping you to interpret the error message:

    https://learn.microsoft.com/windows/security/threat-protection/auditing/event-4625

    I would not change the password without fully assessing the possible impact. If you do decide to change it, you should ensure it's out of hours with minimal potential impact to business.

    If the reply was helpful, please don’t forget to upvote or accept as answer.

    Best regards.

    0 comments
  5. Anthony Green 21 Reputation points
    2023-06-05T00:14:26.2733333+00:00

    Thanks for the response.

    I'm not sure how to assess the impact of the password change. I don't know what it will do or where to find that information. That was kind of why I was posting here for help :)

    In case this helps, here is the full Event details:

    Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/06/2023 12:17:58 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      server1.domain.local
Description:
An account failed to log on.

Subject:
	Security ID:		SYSTEM
	Account Name:		Server1$	(<-- Computer account for Cluster Node)
	Account Domain:		DOMAIN
	Logon ID:		0x3E7

Logon Type:			8

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		Cluster$	(<-- Computer account for Failover Cluster)
	Account Domain:		domain.local

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC000006A

Process Information:
	Caller Process ID:	0x2930
	Caller Process Name:	C:\Windows\Cluster\rhs.exe

Network Information:
	Workstation Name:	Server1
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		Advapi  
	Authentication Package:	Negotiate
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0