Share via

AUDIT_FAILURE(4625) with sqlservr.exe

  • Article

Question

Wednesday, August 10, 2016 7:54 AM

Hi forums,

I keep finding these events in the event log of my db server. It seems to happen with a full backup task configured via SQL Server Agent.

Any ideas?

2016 Aug 09 21:00:00 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: pci-ph-msdb01.jenetwork.local: An account failed to log on. Subject:  Security ID:  S-1-5-20  Account Name:  PCI-PH-MSDB01$  Account Domain:  JENETWORK  Logon ID:  0x3e4  Logon Type:   3  Account For Which Logon Failed:  Security ID:  S-1-0-0  Account Name:    Account Domain:    Failure Information:  Failure Reason:  %%2304  Status:   0xc000040a  Sub Status:  0x0  Process Information:  Caller Process ID: 0x65c  Caller Process Name: C:\Program Files\Microsoft SQL Server\MSSQL10_50.JEMSSQLSERVER\MSSQL\Binn\sqlservr.exe  Network Information:  Workstation Name: PCI-PH-MSDB01  Source Network Address: -  Source Port:  -  Detailed Authentication Information:  Logon Process:  Authz     Authentication Package: Kerberos  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon request fails. It is generated on the comp

QB

All replies (4)

Thursday, August 11, 2016 10:04 AM âś…Answered

Hi QB101,

According to the error message you provided, you most likely have connectivity issues to Active directory(AD) server by using the account mentioned in the error message . Please be sure there isn't a restrictive read policy in your AD for the problem account. And make sure the SQL Server service account is allowed to connect to the Active Directory of 'DOMAIN'.
For your issue, you can change the owner of backup job to sa and check if this will resolve the exception. For more details, you can review to this similar thread.

If you have any more questions, please feel free to ask.

Regards,
Angelia

Wednesday, August 10, 2016 7:59 AM

do you run some third-party backup tool?

Wednesday, August 10, 2016 8:06 AM

I'm linking the event log entry to the backup because they consistently happen at the same time (9PM).

For the backup I have a Maintenance Plan setup to dump all dbs to file. I execute this maintenance plan with the Agent daily at 9PM.

Thursday, August 11, 2016 9:44 AM

Hi,

Per your concern, I guess Event ID 4625 is not related to database owner, seems related to a domain controller. Check below post if helps :

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625

Also, https://www.petenetlive.com/KB/Article/0001209