Failed login attempts of virtual name object on primary cluster node.

MarcovantVeld-8972 1 Reputation point
2022-08-25T07:30:06.377+00:00

One of our customers have noticed a decent amount of windows security log entries where the Virtual Computer Object of a SQL Availability Group tries to logon to the primary node but that the attempt failed (Event ID 4625, logontype 8).
This doesn't occur every day but when it does it's during out of office hours.
Nothing seems to be broken, failover is still possible. But it is an reoccurring event.

Things we tried and checked:

  • The CNO has full control rights on all the VCO's.
  • In Failover Cluster Manager when performing a Simulate Failure on a resource, the events do not appear for several days.
  • Other resources that did not receive this workaround still show up in the security event log.
  • We see this behaviour on multiple clusters, not just for this specific customers.
  • Password rotation of the VCO's is still in effect.

What could be causing this issue?
Am I missing somehting?
Is this a bug perhaps?

Server is running Windows Server 2016 (Version 1607)
with SQL server 2017 (version 14.0.3445.2).

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,894 questions
Windows Server Clustering
Windows Server Clustering
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Clustering: The grouping of multiple servers in a way that allows them to appear to be a single unit to client computers on a network. Clustering is a means of increasing network capacity, providing live backup in case one of the servers fails, and improving data security.
963 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. PandaPan-MSFT 1,901 Reputation points
    2022-08-26T05:40:08.433+00:00

    Hi @MarcovantVeld-8972
    Now that the error doesn’t occur all the time, it’s really hard to define what kind of problem it is. So my suggestion is that you may try to upgrade to the newest pacth (2017).details.aspx
    If it still doesn’t work, you may start a phone call case so that you can ask professional engineer for help, and they will deal with your problem separately and confidentially in the way of accessing your environment.https://support.microsoft.com/en-us/assistedsupportproducts

    Best regards
    Jong


  2. Limitless Technology 39,426 Reputation points
    2022-08-26T09:00:50.037+00:00

    Hello

    Thank you for your question and reaching out. I can understand you are having issues related to attempt failed (Event ID 4625, logontype 8).

    Please try to enable Advanced security monitoring for this Event which provides information about individual audit events, and lists them within audit categories and subcategories.

    Reference :
    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings

    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events

    ---------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  3. MarcovantVeld-8972 1 Reputation point
    2022-09-01T08:16:22.723+00:00

    I will enable the Advanced Security Monitoring for the events and post the results here.
    I'll get back to you.

    0 comments No comments

  4. MarcovantVeld-8972 1 Reputation point
    2022-10-12T06:56:42.647+00:00

    Goodday,

    It has been a while but I've managed to secure (some) of the logs and posted an example below.
    Customer Identified names have been changed. We see this behaviour everyday between 22:00 and 23:00.

    In the FailoverClustering --> Diagnostics log I see entries around the same time similar to:
    [RES] Network Name <AG-virtual-computer-object-name>AccountAD: CheckIfPasswordIsInSync for Virtual-Computer-Object-Name returned 0

    System

    • Provider [ Name] Microsoft-Windows-Security-Auditing
      [ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D} EventID 4625 Version 0 Level 0 Task 12544 Opcode 0 Keywords 0x8010000000000000
    • TimeCreated [ SystemTime] 2022-10-09T20:03:46.012277200Z EventRecordID 52056510
    • Correlation [ ActivityID] {BE7DDECD-B940-439F-8EF4-9D0650C7D25D}
    • Execution [ ProcessID] 764
      [ ThreadID] 5480 Channel Security Computer Customer-Prod-DB1.customer.domainname.com Security
      • EventData
      SubjectUserSid S-1-5-18
      SubjectUserName CUSTOMER-PROD-DB1$
      SubjectDomainName DOMAINNAME
      SubjectLogonId 0x3e7
      TargetUserSid S-1-0-0
      TargetUserName ApplicationnameData$
      TargetDomainName customer.domain.com
      Status 0xc000006d
      FailureReason %%2313
      SubStatus 0xc000006a
      LogonType 8
      LogonProcessName Advapi
      AuthenticationPackageName Negotiate
      WorkstationName Customername-PROD-DB1
      TransmittedServices -
      LmPackageName -
      KeyLength 0
      ProcessId 0x16cc
      ProcessName C:\Windows\Cluster\rhs.exe
      IpAddress -
      IpPort -
    0 comments No comments