1000's of audit failures

Similar Messages

• An account failed to log on unknown username or password. Causing Login audit failures

  I have a SBS11 Essentials server that is getting audit Failures over and over again. There computer account says it's the SBS11 server it's self.  It says unknown user name or bad password. I have checked for scheduled tasks, backup jobs, services and
  non of them are using any special user accounts.  I have used MS network monitor and can't find anything helpful to lead to the issue.  All computers in the network are running Windows 7.  The domain functional level is 2008 R2.
  I get a the 4768 event ID about a Kerberos event and then just after I get a Event ID 4625 account failure with Logon Type 3.  I have includes the events below.  I need to figure what is causing the audit failures as my GFI Test Hacker alert is
  catching it every morning.  Disabling the Test Hacker alert is not a option.  I have used Process Explorer also but can't seem to pin it down.  I also enabled Kerberos logging.
  http://support.microsoft.com/kb/262177?wa=wsignin1.0.  All event codes state its a unknown or no existing account but how do I stop it from happening?
  This is from the System Event log
  A Kerberos Error Message was received:
  on logon session TH.LOCAL\thsbs11e$
  Client Time:
  Server Time: 14:59:53.0000 3/4/2014 Z
  Error Code: 0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN
  Extended Error:
  Client Realm:
  Client Name:
  Server Realm: TH.LOCAL
  Server Name: krbtgt/TH.LOCAL
  Target Name: krbtgt/[email protected]
  Error Text:
  File: e
  Line: 9fe
  Error Data is in record data.
  This is from the Security Event log
  A Kerberos authentication ticket (TGT) was requested.
  Account Information:
  Account Name: S-1-5-21-687067891-4024245798-968362083-1000
  Supplied Realm Name: TH.LOCAL
  User ID: NULL SID
  Service Information:
  Service Name: krbtgt/TH.LOCAL
  Service ID: NULL SID
  Network Information:
  Client Address: ::1
  Client Port: 0
  Additional Information:
  Ticket Options: 0x40810010
  Result Code: 0x6
  Ticket Encryption Type: 0xffffffff
  Pre-Authentication Type: -
  Certificate Information:
  Certificate Issuer Name:
  Certificate Serial Number:
  Certificate Thumbprint:
  Certificate information is only provided if a certificate was used for pre-authentication.
  Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
  I then get teh following error in the next event
  An account failed to log on.
  Subject:
  Security ID: SYSTEM
  Account Name: THSBS11E$
  Account Domain: TH
  Logon ID: 0x3e7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name:
  Account Domain:
  Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xc000006d
  Sub Status: 0xc0000064
  Process Information:
  Caller Process ID: 0x25c
  Caller Process Name: C:\Windows\System32\lsass.exe
  Network Information:
  Workstation Name: THSBS11E
  Source Network Address: -
  Source Port: -
  Detailed Authentication Information:
  Logon Process: Schannel
  Authentication Package: Kerberos
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

  Well I opened the case for him and he never followed up with Microsoft :-(
  It's a kerberos issue, we're told to ignore it.  Would you be willing to be patient and stubborn and work with CSS to at least understand what's going on better?  I can tell you it's normal with Essentials but not the exact technical reason it's
  happening.
  Unfortunately TechNet isn't coming back, sorry folks :-(

• Event 672 audit failure after migration to hosted Exchange

  I recently migrated a company to hosted Exchange.  They had been previously using in-house Exchange 2003 (on SBS 2003).  Exchange has been removed form the server and the 2003 SBS server is still running as the DC.
  Right after the migration the server began to recieve Error 672 failure audits, 1000s per day.
  I suspect these can be safely ignored, but is there a way to stop them as they show up on daily security reports.
  -Ken
  Event Type: Failure Audit
  Event Source: Security
  Event Category: Account Logon
  Event ID: 672
  Date:  11/24/2014
  Time:  10:11:40 AM
  User:  NT AUTHORITY\SYSTEM
  Computer: BUZZ
  Description:
  Authentication Ticket Request:
    User Name:  user@hosted Exchange.lan
    Supplied Realm Name: COMPANY.LOCAL 
    User ID:   -
  Service Name:  krbtgt/COMPANY.LOCAL
    Ticket Options:  0x40810010
    Result Code:  0x6
    Ticket Encryption Type: -
    Pre-Authentication Type: -
    Client Address:  192.168.x.x
    Certificate Issuer Name: 
    Certificate Serial Number: 
    Certificate Thumbprint: 

  Hi Ken,
  I suspect these can be safely ignored, but is there a way to stop them as they show up on daily security reports.
  We can stop audit failure events from being logged in Event Viewer by editing audit policy. More specifically, we can set the Group Policy setting
  Audit logon events to not to audit logon failure
  (uncheck the Failure checkbox), here is a screenshot below:
  Best Regards,
  Amy

• Unable to receive an email by task scheduler on audit failure in windows server 2008 r2 security log

  Deal All,
  I am sorry in advance if i would be on wrong forum, i have created a task on Server 2008 r2 Domain controller that when an audit failure event triggered in windows security log then an email should reach on my email ID, but unfortunately, nothing happen
  on audit failure.i receive no email from task scheduler.
  kindly suggest me to resolve the issue. I have created Email task on  event ID 4771.
  Thanks.
  Zeeshan Ibrahim Network Administrator

  Hi Zeeshan,
  I have found a hotfix against the same error messages, though it applies to Windows Vista and Windows Server 2008, I am not sure if it will work on your machine.
  Please refer to this KB article below:
  Duplicate triggers are generated incorrectly in scheduled tasks in Windows Vista or in Windows Server 2008
  http://support.microsoft.com/kb/2617046
  Please feel free to let us know if this hotfix couldn’t help you fix this issue.
  Best Regards,
  Amy Wang

• Multiple security audit failures a second

  A client's SBS 2011 machine is experiencing multiple audit failures a second and we believe it is diminishing the performance of the machine. We can't seem to find the source or how to remedy the issue. It its happening way too fast to be a human trying
  to login. 
  Keywords Date and Time Source Event ID Task Category
  Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4905 Audit Policy Change "An attempt was made to unregister a security event source.
  Subject
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: <ommited from forum post>
  Logon ID: 0x3e7
  Process:
  Process ID: 0x10d4
  Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name: ServiceModel 4.0.0.0
  Event Source ID: 0x262070f0"
  Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4904 Audit Policy Change "An attempt was made to register a security event source.
  Subject :
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: < ommited from forum post >
  Logon ID: 0x3e7
  Process:
  Process ID: 0x10d4
  Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name: ServiceModel 4.0.0.0
  Event Source ID: 0x262070f0"
  Audit Failure 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4625 Logon "An account failed to log on.
  Subject:
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: <ommited from forum post>
  Logon ID: 0x3e7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name:
  Account Domain:
  Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xc000006d
  Sub Status: 0xc0000064
  Process Information:
  Caller Process ID: 0x24c
  Caller Process Name: C:\Windows\System32\lsass.exe
  Network Information:
  Workstation Name: SBS
  Source Network Address: -
  Source Port: -
  Detailed Authentication Information:
  Logon Process: Schannel
  Authentication Package: Kerberos
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  Subject
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Process:
  Process ID:
  0x131c
  Process Name:
  C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name:
  ServiceModel 4.0.0.0
  Event Source ID:
  0x26206ef4"
  Audit Success 6/18/2014 1:50:32 PM
  Microsoft-Windows-Security-Auditing
  4904 Audit Policy Change
  "An attempt was made to register a security event source.
  Subject :
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Process:
  Process ID:
  0x131c
  Process Name:
  C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name:
  ServiceModel 4.0.0.0
  Event Source ID:
  0x26206ef4"
  Audit Failure 6/18/2014 1:50:32 PM
  Microsoft-Windows-Security-Auditing
  4625 Logon
  "An account failed to log on.
  Subject:
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID:
  NULL SID
  Account Name:
  Account Domain:
  Failure Information:
  Failure Reason:
  Unknown user name or bad password.
  Status:
  0xc000006d
  Sub Status:
  0xc0000064
  Process Information:
  Caller Process ID:
  0x24c
  Caller Process Name:
  C:\Windows\System32\lsass.exe
  Network Information:
  Workstation Name:
  SBS
  Source Network Address:
  Source Port:
  Detailed Authentication Information:
  Logon Process:
  Schannel
  Authentication Package:
  Kerberos
  Transited Services:
  Package Name (NTLM only):
  Key Length:
  0
  Jerry T

  Hi Jerry,
  Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. This is usually
  related to share folders, printers, IIS and so on.
  Would you please let me confirm whether you had installed some third-party applications?
  Meanwhile, please refer to Robert’s suggestion in the following similar thread and check if can help you.
  Audit
  Failure - Event 4625
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• 4265 Audit Failure: NTLM Authentication Issue from constant Outlook Login Prompts

  Hello Technet!
  Last week I started running into a domain-wide issue where users could authenticate while connected to the domain, but would receive prompts to log in to our external host. The first prompt is for mail.domain.local, which works fine inside the office, and
  the second is owa.domain.com, which continually fails. 
  On the second prompt, the Exchange 2007 server (on Server 2008 R2) reports the following error:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 3/19/2015 9:10:19 AM
  Event ID: 4625
  Task Category: Logon
  Level: Information
  Keywords: Audit Failure
  User: N/A
  Computer: mail.domain.local
  Description:
  An account failed to log on.
  Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: user
  Account Domain: domain
  Failure Information:
  Failure Reason: An Error occured during Logon.
  Status: 0xc000006d
  Sub Status: 0x0
  Process Information:
  Caller Process ID: 0x0
  Caller Process Name: -
  Network Information:
  Workstation Name: DOMAIN-PC
  Source Network Address: 12.345.67.89
  Source Port: 56984
  Detailed Authentication Information:
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  I've gone through quite a few attempted fixes already, all to no effect:
  1. I've both added BackChannelHostName to the server's registry, as well as described here: https://support.microsoft.com/en-us/kb/896861
  2. Verified SSL Cert status
  3. Internal and External OWA URI is set to owa.domain.com in EWC
  4. Set up the IIS7 authentication and SSL settings to their defaults, as described here: http://msexchangeguru.com/2010/10/05/autodiscover/
  5. I added a SRV record for autodiscover on our DC to correct an EXPR auth issue: https://acbrownit.wordpress.com/2012/12/20/internal-dns-and-exchange-autodiscover/
  Despite all these things, I haven't yet seemed to scratch whatever itch Exchange is having. All of the client Outlooks will get the prompt for owa.domain.com, even though their mail is working because they're in the office or on VPN. For whatever reason,
  the Mac Outlook 2011 users cannot authenticate to the mail server at all, so they are the ones hit the hardest by this issue.
  Any insight everyone here at TechNet can offer would be appreciated. Every fix and workaround I've looked at has either changed nothing, or pointed to something that was already configured properly. If there are details missing that I could offer to provide
  a better idea of the problem, please let me know. Thank you.
  -- Brian Q.

  Hi,
  Yes, it may be caused by the security updates on March 10, 2015. Please refer to the known issue in the following KB:
  http://support.microsoft.com/en-us/kb/3002657
  Please remove the security patch on the DC and restart server to have a try. Additionally, here is a similar thread for your reference:
  https://social.technet.microsoft.com/Forums/exchange/en-US/1b2a24d9-3d77-49f6-9d0f-63c71da64827/password-prompt-after-exchange-server-windows-updates?forum=exchangesvrclientslegacy
  Regards, 
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Winnie Liang
  TechNet Community Support

• Audit failure every 2 minutes on a W2K8 standalone Server in a Workgroup EventID 4625

  Hello
  By chance I discovered that every 2 minutes there is a login failure on my standalone (Workgroup) W2K8 R2 Server.
  The administrator is disabled (login errors also appear when administrator user is enabled).
  Could not find any tasks that are running with administrator credentials. It seems to me that it must be from the same machine, as the source IP Address is 127.0.0.1.
  Does anyone have an idea?
  Here the log:
  An account failed to log on.
  Subject:
      Security ID:        SYSTEM
      Account Name:        NS2308064$
      Account Domain:        WORKGROUP
      Logon ID:        0x3e7
  Logon Type:            2
  Account For Which Logon Failed:
      Security ID:        NULL SID
      Account Name:        Administrator
      Account Domain:        NS2308064
  Failure Information:
      Failure Reason:        Unknown user name or bad password.
      Status:            0xc000006d
      Sub Status:        0xc000006a
  Process Information:
      Caller Process ID:    0x20c
      Caller Process Name:    C:\Windows\System32\winlogon.exe
  Network Information:
      Workstation Name:    NS2308064
      Source Network Address:    127.0.0.1
      Source Port:        0
  Detailed Authentication Information:
      Logon Process:        User32
      Authentication Package:    Negotiate
      Transited Services:    -
      Package Name (NTLM only):    -
      Key Length:        0
  Thanks & Regards
  Chris

  Hi,
  This a forum for windows 7.
  Please focus on one post to get better solutions.
  http://social.technet.microsoft.com/Forums/en-US/5019d759-b497-44e4-a82a-4fefd4e367c6/audit-failure-every-2-minutes-on-a-w2k8-standalone-server-in-a-workgroup-eventid-4625?forum=winserversecurity
  Thanks for your understanding!
  Regards,
  Ada Liu
  TechNet Community Support

• Kerberos audit failures, ~38-42 events PER MINUTE

  We have a server running "Windows Server Standard FE" 64bit SP2 (I know, embarrassing). The issue is that our Security log is getting FLOODED with audit failures from Kerberos Service Ticket Operations. We will see 38 all with the EXACT same time-stamp,
  then sometimes the next minute will have another 40, sometimes it's a 5 minute gap, sometimes it's a more random gap but regardless it never waits too long before another huge burst of failures. We actually have the issues on other machines running newer system
  (2k3, 2k8) but this one is hands down the most troublesome.
  Honestly I might be out of my depth here as I'm really not too keen on Kerberos ticket requests, but any information around this would be greatly appreciated to help me investigate the issue further. These errors haven't actually led to any problems or other
  errors, just bug the heck out of me when checking audits.
  A Kerberos service ticket was requested.
  Account Information:
  Account Name: <hostname>$@<domain>.LOCAL
  Account Domain: <domain>.LOCAL
  Logon GUID: {00000000-0000-0000-0000-000000000000}
  Service Information:
  Service Name: krbtgt/<domain>.LOCAL
  Service ID: NULL SID
  Network Information:
  Client Address: ::1
  Client Port: 0
  Additional Information:
  Ticket Options: 0x60810010
  Ticket Encryption Type: 0xffffffff
  Failure Code: 0xe
  Transited Services: -
  This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
  This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
  Ticket options, encryption types, and failure codes are defined in RFC 4120.

  :(   

• Windows 7 Security Audit Failure message 6281 & Security Kernel

  OS:  Windows 7 Home Premium Ver 6.1 Build 7601 SP 1
  Toshiba Satellite C655
  I received a Windows 7 Security pop-up saying there was a Kernel mismatch and asked if I wanted to proceed.  Not thinking - i hit yes.  Looking through the Security Audit Log - I found an audit failure with 6281 System Integrity Error.  I
  am assuming they are related.
  Any idea what have I done and what do I need to check/do to recover?
  Thanks

  Hi,
  Please upload us the full error messages here, we need more information to narrow down the cause. Then check into
  Event Viewer, see if any other errors logged.
  Besides, check to see if there are any devices have new drivers need to update.
  Mostly this error is caused by the "Realtek Audio HD driver", please check to see if we have any related devices.
  Reference:
  Windows 7 freeze after shutdown
  Best regards
  Michael Shao
  TechNet Community Support

• Audit failures on Exchange 2010 and password prompts in outlook

  Starting last Thursday after I patched my domain controllers and other Windows systems and rebooted my Outlook users are being prompted for username/password continuously and my Exchange security logs reflect audit failures for NTLM which I think is triggering
  the prompt. The same users also have an audit success via Kerberos.
  If the password prompt it cancelled Outlook can send and receive email just fine but the box continues to pop up occasionally.
  I've worked on this for several days now and can't figure it out. The audit logs on the DC's are clean with no audit failures.
  The issue is also affecting Visual Studio users who log into a Team Foundation Server, they are continually prompted for credentials and can't get in and the audit logs show the same thing.
  I don't think this is an Exchange specific issue but more of a broader authentication problem.
  Can anyone shed any light on this?
  An account failed to log on.
  Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: mart.marc
  Account Domain:  AOF
  Failure Information:
  Failure Reason: An Error occured during Logon.
  Status: 0xc000006d
  Sub Status: 0x0
  Process Information:
  Caller Process ID: 0x0
  Caller Process Name: -
  Network Information:
  Workstation Name: AOG-LP047
  Source Network Address: 10.10.1.159
  Source Port: 50075
  Detailed Authentication Information:
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0

  Hi,
  It is a known issue if you install the following security updates on March 10, 2015:
  http://support.microsoft.com/en-us/kb/3002657
  The user would be prompted with credentials when NTLM is used to authenticate these Active Directory domain users and services. 
  We can remove this patch from all the DCs manually and check whether the issue persists.
  Regards,
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Winnie Liang
  TechNet Community Support

• Auditing set to "Failure" only but Success 4985 still being logged

  Hello,
  We've configured a domain wide policy to only audit "Failure" events in the Audit Policy.
  This has successfully applied to all our servers but we're finding that Success Event IDs 4985 (The State of a Transaction has changed) are still being logged. It does seem to be only this event ID which is being logged.
  I believe that this event comes under Audit Object Access, but cannot understand why these "success" events are still being logged when this audit setting is definitely set to "failure".
  Thanks

  Hi,
  Here is my understanding: You would like to only log Failure events in Event log. However even with all Success options unchecked in Audit policy, Audit Success (event 4985) still exists in Event Viewer.
  For the event 4985, it is triggered by the Transactional NTFS (TxF), when the file state is changed. 
  TxF is a new featured introduced in Windows 2008 / Vista, and allows file operations on an NTFS file system volume to be performed in a transaction. TxF transactions increase application reliability by protecting data integrity across failures and simplify
  application development by greatly reducing the amount of error handling code.
  For more information about TxF, please refer to the following web page:
  http://msdn.microsoft.com/en-us/library/aa363764(v=VS.85).aspx
  You can find more information about the audit events from the below articles:
  Description of security events in Windows 7 and in Windows Server 2008 R2
  http://support.microsoft.com/kb/977519
  Advanced Security Audit Policy Settings
  http://technet.microsoft.com/en-us/library/dd772712(WS.10).aspx
  Specifically please check Computer Configuration - Policies - Windows Settings - Security Settings - Advanced Audit Policy Configuration - Audit Policies - Object Access: Audit File System. Test to set with only Failure is checked. 
  TechNet Subscriber Support in forum |If you have any feedback on our support, please contact [email protected]

• How to determine the destination port from a audit fail event

  I have a bunch of audit failure events (4625) in our security log. The details only show the source address and port but no destination port info.. Is there anyway I can find out that info.? What I really want to know is what application\port does these
  login try to authenticate into.. 
  Thanks

  Hi,
  I am not aware of any way to determine the destination port based on event logs. However, you can try to use NetMon or other software to catch packages to see if it works.
  As for application, you can check the Process Information in the event.
  Best Regards,
  Amy

• 802.1x random failures

  I am in the process of implementing machine based 802.1x to my company. I have 2 radius servers and 1 CA. The machines get their certificates via group policy. The group policy is working fine and everyone has been issued their certificates that are supposed
  to have them. I wait til they get their certificates, then enter the commands for 802.1x on their port. I have about 50 machines that are working as they should, but I have three random machines that will not communicate whenever I flip the port on the switch.
  The three machines have valid certificates and have full connectivity to the two radius servers and the CA. I do not believe it is a switch problem, because I have other machines connected to this switch that are authenticating properly. Also, I have
  tried the 802.1x hotfix on these machines with no luck. I am wondering if there is anything that I could try on the clients that would keep them from authenticating. All of my clients are Windows 7 SP1 64 bit. Any suggestions would be appreciated! 

  Hi,
  Based on your description, you are deploying 802.1x authenticated wired network access. The issue is that three machines in your network can’t pass the 802.1x authentication.
  About “The three machines have full connectivity to the two radius servers and the CA.” Does it mean that the three machines can ping two radius servers?
  What errors did three machines receive when the three machines logon? Or are there any related event logs in the RADIUS server?
  For example, in Windows 2012 R2 NPS server, you could check Security-Auditing event in Custom Views\Server Roles\Network Policy and Access Services.
  You could also check the Audit Failure event. It is in the Windows Logs\Security directory.
  Please also check if the wired network (IEEE 802.3) group policy was applied to the three machines.
  You could run
  gpresult /h c:\report.html to generate the result of group policy.
  If you couldn’t find the group policy which you created, please run
  gpupdate /force command in the three clients.
  Best Regards,
  Tina
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Audit Policy setting in GPO

  HI,
  I would like to setup the audit setting for our company which will include mainly the "DS access" category. Also, we would like to disable the success logon / logoff as default and only enable the failure option in order to decrease the size of
  our security log.
  Should all those setting be set in the "Default Domain Policy" GPO or "Default Domain Controller Policy"? Or we need to setup another GPO for the setting as, suggest by MS, the "Default Domain Policy" should only contain the
  Password and Lockout policy.
  Thanks,
  Jerald Leung

  Hi Jerald,
  >>I would like to setup the audit setting for our company which will include mainly the "DS access" category.
  According to me, for auditing DS access, we can configure this setting in the default domain controller group policy.
  DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events
  are logged only on domain controllers.
  The following article has provided the step-by-step guide for configuring DS access audit settings.
  AD DS Auditing Step-by-Step Guide
  http://technet.microsoft.com/en-us/library/cc731607(v=WS.10).aspx
  Note: Audit events will only be generated on objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches the SACL
  settings.
  >>we would like to disable the success logon / logoff as default and only enable the failure option in order to decrease the size of our security log.
  Audit "logon events" records logons on the PC(s) targeted by the policy and the results appear in the Security Log on that PC(s).
  If you want to just audit failure logon, you can configure the settings in the default domain policy or configure it in another GPO which links to the domain.
  In addition, we can set the maximum size of security log via group policy. Regarding this point, the following article can be referred to for more information.
  Maximum security log size
  http://technet.microsoft.com/en-us/library/cc776342(v=ws.10).aspx
  Best regards,
  Frank Shen

• CSA User authentication auditing rule and Policy conflicts

  Hi there
  We have CSA 5.2 in our environment and i created a custom policy and added the 'user authentication auditing' rule and enabled auditing failure events on windows XP machine but i dont see any failure attempts in the CSA MC event log even though i tried to logon on with invalid passwords.What could be the reason for this.
  Secondly i was wondering what happens when i apply two policies, Are the policy settings added and applied to the group or one policy gets priority over the other
  Thanks for your anwers
  Ahmed

  Have you checked the security event logs on the machines in question? If there are no events there, CSA cannot report them.
  That's where CSA gets the info and by default, there is no account auditing in Windows XP.
  You have to enable it either via group or local policy.
  Tom