Error occurred udring logon status 0xC00002EE

TheITRunningMan 1 Reputation point
2022-02-24T19:21:30.237+00:00

I'm seeing some strange behavior of one of our (known) accounts showing up in security logs on a server we have. The error (pasted below) says that there's a logon failure with a NULL Security ID. We can't tell where the logon is coming from, other than it appears to be on the system itself. There don't seem to be any scheduled tasks running under the user in question.

Any ideas would be greatly appreciated.

Here's the event:

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: <redacted>
Account Domain: <redacted>

Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC00002EE
Sub Status: 0x0

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -

Detailed <redacted> Ahentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,588 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 44,326 Reputation points
    2022-02-28T13:30:23.833+00:00

    Hello @TheITRunningMan

    I would recommend the next article for more information, and specifically the Logon Type. The logon type 3 is a Network Logon, usually related to shared storage authentication, remote execution, or Network Service.

    Reference: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

    In this case, I would recommend to look into the Account Name (in this case redacted) to see if it may be a service or Built in account that may be configure for some system service (such as NT AUTHORITY\SYSTEM or NETWORK SERVICE) so then it will be required to review the status of the service an dependancies, or in the case of a Local or Domain user account, the guideline for IT Security is to lock out the account in case the system administrator is not sure of the Logon attempt, or contacting the user and repairing the machine(s) from where is connecting.

    Hope this helps with your query,

    --
    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. TheITRunningMan 1 Reputation point
    2022-02-28T16:44:06.58+00:00

    The problem appears to have been with the version of NTLM. I had NTLMv1 enabled for compatibility with some older SAMBA servers. After requiring NTLMv2, the errors ceased.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.