Failed login attempts of virtual name object on primary cluster node.

Question

One of our customers have noticed a decent amount of windows security log entries where the Virtual Computer Object of a SQL Availability Group tries to logon to the primary node but that the attempt failed (Event ID 4625, logontype 8).
This doesn't occur every day but when it does it's during out of office hours.
Nothing seems to be broken, failover is still possible. But it is an reoccurring event.

Things we tried and checked:

• The CNO has full control rights on all the VCO's.
• In Failover Cluster Manager when performing a Simulate Failure on a resource, the events do not appear for several days.
• Other resources that did not receive this workaround still show up in the security event log.
• We see this behaviour on multiple clusters, not just for this specific customers.
• Password rotation of the VCO's is still in effect.

What could be causing this issue?
Am I missing somehting?
Is this a bug perhaps?

Server is running Windows Server 2016 (Version 1607)
with SQL server 2017 (version 14.0.3445.2).

Answer 1

Hi @Marco van 't Veld
Now that the error doesn’t occur all the time, it’s really hard to define what kind of problem it is. So my suggestion is that you may try to upgrade to the newest pacth (2017).details.aspx
If it still doesn’t work, you may start a phone call case so that you can ask professional engineer for help, and they will deal with your problem separately and confidentially in the way of accessing your environment.https://support.microsoft.com/en-us/assistedsupportproducts

Best regards
Jong

Answer 2

Hello

Thank you for your question and reaching out. I can understand you are having issues related to attempt failed (Event ID 4625, logontype 8).

Please try to enable Advanced security monitoring for this Event which provides information about individual audit events, and lists them within audit categories and subcategories.

Reference :
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events

---------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--

Answer 3

I will enable the Advanced Security Monitoring for the events and post the results here.
I'll get back to you.

Answer 4

Goodday,

It has been a while but I've managed to secure (some) of the logs and posted an example below.
Customer Identified names have been changed. We see this behaviour everyday between 22:00 and 23:00.

In the FailoverClustering --> Diagnostics log I see entries around the same time similar to:
[RES] Network Name <AG-virtual-computer-object-name>AccountAD: CheckIfPasswordIsInSync for Virtual-Computer-Object-Name returned 0

System

• Provider [ Name] Microsoft-Windows-Security-Auditing
  [ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D} EventID 4625 Version 0 Level 0 Task 12544 Opcode 0 Keywords 0x8010000000000000
• TimeCreated [ SystemTime] 2022-10-09T20:03:46.012277200Z EventRecordID 52056510
• Correlation [ ActivityID] {BE7DDECD-B940-439F-8EF4-9D0650C7D25D}
• Execution [ ProcessID] 764
  [ ThreadID] 5480 Channel Security Computer Customer-Prod-DB1.customer.domainname.com Security
  • EventData
  SubjectUserSid S-1-5-18
  SubjectUserName CUSTOMER-PROD-DB1$
  SubjectDomainName DOMAINNAME
  SubjectLogonId 0x3e7
  TargetUserSid S-1-0-0
  TargetUserName ApplicationnameData$
  TargetDomainName customer.domain.com
  Status 0xc000006d
  FailureReason %%2313
  SubStatus 0xc000006a
  LogonType 8
  LogonProcessName Advapi
  AuthenticationPackageName Negotiate
  WorkstationName Customername-PROD-DB1
  TransmittedServices -
  LmPackageName -
  KeyLength 0
  ProcessId 0x16cc
  ProcessName C:\Windows\Cluster\rhs.exe
  IpAddress -
  IpPort -