Bad Hyper-V username logon attempt - Cluster Computer Account

Anthony Green 21 Reputation points
2023-06-02T02:13:06.42+00:00

We are getting some Errors in the Event Logs on our Windows Failover Clusters.

We have two Clusters, one Server 2016 (two nodes) and the other Server 2019 (three nodes). This Event happens on Hosts in both clusters.

4625 Microsoft-Windows-Security-Auditing Event Description: An account failed to log on. Failure Reason: Unknown user name or bad password. Account Name: Cluster$ Account Domain: domain.local

The Account Name is the Computer account for the Cluster, which I don't recall ever setting a password for (I think it's created automatically when setting up the Failover Cluster.)

The cluster seems to be running OK, so I'm not sure if this is a problem that I need to be concerned about.

Though the Red errors in our monitoring dashboards really annoy our CEO/CIO.

I seem to recall that account being created automatically during the Failover Cluster set-up (around four years ago), and that the password was auto-generated.

Should I be updating the password? If so, can I do it without breaking the cluster?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,606 questions
Hyper-V
Hyper-V
A Windows technology providing a hypervisor-based virtualization solution enabling customers to consolidate workloads onto a single server.
2,627 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Justin King 5 Reputation points
    2023-10-18T11:41:55.8933333+00:00

    Hi Anthony!

    I had this exact problem and came across your post. I have followed this article to repair the permissions on the computer objects in AD that get created when you set up the cluster. It seems to have solved my issues!

    It was very fast to do so hopefully in your produciton environment the downtime is minimal but you do have to take the cluster reqources offline in order to do the repair.

    In my case I had to do this on the cluster name and the 2 server names associated with the 2 roles I had in the cluster.

    You must right click the server name and choose offline. Then you are able to right click again and choose More Actions > Repair

    Once you click Repair it happens fast. Less than a second then the resource gets automatically started again.

    Good luck, hope this help you.

    Justin

    1 person found this answer helpful.

  2. Limitless Technology 44,096 Reputation points
    2023-06-02T12:31:48.2766667+00:00

    Hello Anthony,

    Thank you for your question and for reaching out with your question today.

    This article may shed some light on the solution for you by helping you to interpret the error message:

    https://learn.microsoft.com/windows/security/threat-protection/auditing/event-4625

    I would not change the password without fully assessing the possible impact. If you do decide to change it, you should ensure it's out of hours with minimal potential impact to business.

    If the reply was helpful, please don’t forget to upvote or accept as answer.

    Best regards.

    0 comments No comments

  3. Limitless Technology 44,096 Reputation points
    2023-06-02T12:32:11.17+00:00

    Double post

    0 comments No comments

  4. Limitless Technology 44,096 Reputation points
    2023-06-02T12:32:36.2+00:00

    Hello Anthony,

    Thank you for your question and for reaching out with your question today.

    This article may shed some light on the solution for you by helping you to interpret the error message:

    https://learn.microsoft.com/windows/security/threat-protection/auditing/event-4625

    I would not change the password without fully assessing the possible impact. If you do decide to change it, you should ensure it's out of hours with minimal potential impact to business.

    If the reply was helpful, please don’t forget to upvote or accept as answer.

    Best regards.

    0 comments No comments

  5. Anthony Green 21 Reputation points
    2023-06-05T00:14:26.2733333+00:00

    Thanks for the response.

    I'm not sure how to assess the impact of the password change. I don't know what it will do or where to find that information. That was kind of why I was posting here for help :)

    In case this helps, here is the full Event details:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          4/06/2023 12:17:58 PM
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      server1.domain.local
    Description:
    An account failed to log on.
    
    Subject:
    	Security ID:		SYSTEM
    	Account Name:		Server1$	(<-- Computer account for Cluster Node)
    	Account Domain:		DOMAIN
    	Logon ID:		0x3E7
    
    Logon Type:			8
    
    Account For Which Logon Failed:
    	Security ID:		NULL SID
    	Account Name:		Cluster$	(<-- Computer account for Failover Cluster)
    	Account Domain:		domain.local
    
    Failure Information:
    	Failure Reason:		Unknown user name or bad password.
    	Status:			0xC000006D
    	Sub Status:		0xC000006A
    
    Process Information:
    	Caller Process ID:	0x2930
    	Caller Process Name:	C:\Windows\Cluster\rhs.exe
    
    Network Information:
    	Workstation Name:	Server1
    	Source Network Address:	-
    	Source Port:		-
    
    Detailed Authentication Information:
    	Logon Process:		Advapi  
    	Authentication Package:	Negotiate
    	Transited Services:	-
    	Package Name (NTLM only):	-
    	Key Length:		0