4265 Audit Failure: NTLM Authentication Issue from constant Outlook Login Prompts

Similar Messages

• Adobe Flash NTLM Authentication Issue

  This problem is having a major impact for many users in my account.
  The users are testing streaming course ware delivery over the Internet and also hitting the proxy re-login prompt.
  The problem with them is that after re-logging in the course restarts at the beginning.
  So it is not a fit for purpose environment for this application currently.
  The same problem occurs for companies webcast through Internet.
  Recent test with the users have confirm the issue occurs using the following version of flash:
  Adobe Flash Player ActiveX 11.1.102.55
  Adobe Flash Player ActiveX 11.1.102.62
  The Shockwave Flash NTLM authentication issue is characterised by the following packet sequence: WS sends Request to Server. Server closes the TCP connection without a response to the request. The WS establishes a new TCP connection and resend the request with previous NTLM Authentication details (ie does not go through the correct NTLM handshake for proxy authentication failure and the browser to pop for user credentials.
  When the above occurs,
  NTLM authentication screen popup up, entering credential again didn’t resume video. I had to reload the page to resume video from the beginning.
  No popup, but the video resumes from the beginning when there was a prolonged delay.
  The problem occurs on Windows XP SP3 with IE7 or IE8 with Flash Player 11.1.102.62
  Is the problem a known issue with Adobe Flash Player ?

  Hello,
  The bug report states can not reproduce. I understand the problem and am happy to help Adobe understand if they want to email me and organise a webex.
  The problem is associated with the way IE handles NTLM on a new connection. When performing a POST request, it will make two requests: the first contains a type1 NTLM token and no body, and the second will contain the type 3 token and the body. It does this because it expects to perform NTLM authentication as NTLM is connection not session based, and hence for efficiency, it doesn't send the POST body on the first request (knowing a second request will be required).
  The POST request initiated by the Flash application is only made once, so it presents a POST request and no body with the type 1 token to the web server (ie IIS, or some Java implementation such as SSO Plugin), and does not make a second request with a type 3 token and the body. It gives up and automatically prompts the user for a username/password, which is the wrong behaviour when the browser is in the Local Intranet zone and the web server responded with a type 2 token.
  I can reproduce this easily and it is a serious bug: it means that any Flash application that is accessed via Integrated Windows Authentication and IE will fail when trying to make a POST request, such as uploading a file from the user.
  John
  SSO Plugin for BMC, HP and more.
  http://www.javasystemsolutions.com/jss/ssoplugin

• Client issues from behind firewall (login delays)

  I have a Novell 6.0 server outside the firewall and am beginning to set
  up clients on the inside of the firewall. There appears to be no
  issues with the outside clients connecting to the outside server.
  However I am having strange issues with the inside clients
  authenticating to the outside server. (all clients are WinXP)
  If I do not sit for at least 10 seconds at the novell login screen on
  the client at first boot-up before attempting to login, the client will
  fail. If I try again after that, it goes right in. If I do wait for
  the 10 seconds, the client authenticates the first time.
  If I put an IP address in the server name field of the login dialog
  box (instead of the servers FQDN) the client authenticates the first
  time.
  Has anyone seen this before or know where to begin looking? There does
  not appear to be a delay issue with the DNS server, as once the desktop
  is up all web browsing and pings respond quickly.
  Thank you for any help you can provide.

  Thanmad,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at
  http://support.novell.com.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://support.novell.com/forums)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Invoke NTLM Authentication Based WebService from BPEL

  Hi All,
  I am working with SOA Suite 11.1.1.6 version deployed on Weblogic Server (Linux Based OP).
  I have a requirement where i need to invoke a webservice which exposes a NTLM Based Authentication. Since this particular webservice doesn't even get loaded if we dont pass the credentials. For example :- If i hit the WSDL URL on browser, it first ask for the credentials and on success , it loads the WSDL File.
  First i have tried using this WS using SOAP UI and were able to invoke it successfully , because SOAP UI can handle the NTLM Authentication Properly. And it gives us the wizard to put the credentials when we load the WSDL in SOAP UI.
  But the problem comes when i use that WS using our SOA Composite. The WSDL Doesn't get loaded only , since it requires the credentials first. I am not sure how should i go ahead and invoke this. I have checked lot of blogs but none of them were useful for me.
  Did anybody face this issue/ task to invoke a WS which doesn't get loaded without passing the credentials and also to invoke it through BPEL composites deployed on the weblogic server (based on Linux OP).
  Please suggest!!!
  Regards,
  Shah

  Hi,
  I am in a similar situation.
  I am able to successfully invoke the webservice via soapUI when I pass the username, password and the domain.
  If I do not pass the domain name in the SOAPUI or even in SOA, I get HTTP 401, Unauthorized error. 
  However, I am able to set only the
  oracle.webservices.auth.username a
  oracle.webservices.auth.password properties when I configure it in SOA 11g.
  I tried passing the domain name in the oracle.webservices.auth.username property as domainname\username. But no luck
  The composite is deployed on a linux server. Please suggest/advice any pointers to resolve this NTLM authentication issue.

• Audit failures on Exchange 2010 and password prompts in outlook

  Starting last Thursday after I patched my domain controllers and other Windows systems and rebooted my Outlook users are being prompted for username/password continuously and my Exchange security logs reflect audit failures for NTLM which I think is triggering
  the prompt. The same users also have an audit success via Kerberos.
  If the password prompt it cancelled Outlook can send and receive email just fine but the box continues to pop up occasionally.
  I've worked on this for several days now and can't figure it out. The audit logs on the DC's are clean with no audit failures.
  The issue is also affecting Visual Studio users who log into a Team Foundation Server, they are continually prompted for credentials and can't get in and the audit logs show the same thing.
  I don't think this is an Exchange specific issue but more of a broader authentication problem.
  Can anyone shed any light on this?
  An account failed to log on.
  Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: mart.marc
  Account Domain:  AOF
  Failure Information:
  Failure Reason: An Error occured during Logon.
  Status: 0xc000006d
  Sub Status: 0x0
  Process Information:
  Caller Process ID: 0x0
  Caller Process Name: -
  Network Information:
  Workstation Name: AOG-LP047
  Source Network Address: 10.10.1.159
  Source Port: 50075
  Detailed Authentication Information:
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0

  Hi,
  It is a known issue if you install the following security updates on March 10, 2015:
  http://support.microsoft.com/en-us/kb/3002657
  The user would be prompted with credentials when NTLM is used to authenticate these Active Directory domain users and services. 
  We can remove this patch from all the DCs manually and check whether the issue persists.
  Regards,
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Winnie Liang
  TechNet Community Support

• FDM 11.1.1.3 Now NTLM Authentication Disabled

  Hi Everyone,
  I've just upgraded from 11.1.1.2 to 11.1.1.3. Now when I go in to the Load Balance Manager, NTLM authentication is Disabled.
  I am prompted when I try to edit that the provider type must be configured directly in Shared Services. I have an authentication type of NTLM that all other products are using.
  Does anyone know how to Enable NTLM for FDM?
  Or a work around setting up Shared services with FDM. I cannot see any FDM references in SS
  Thanks
  G

  Hi,
  Thanks for your quick reply. I have done all the upgrades and configuration you mention. All successful.
  What authentication method should be in SS and where are the references to FDM? I have NTLM & Native (OpenLDAP)
  Surely I should I see a reference to FDM in the Application groups and when I provision users. (I don't currently)
  Thanks
  G

• Webservice, NTLM authentication

  Hello,
  We have a customer who has Navision in use. It requires an interface to BW. In Navision web service (NTLM authentication) has been implemented. Coming soon to Data Service can be used. In DS 4.2, I've seen that in the configuration of SOAP web service, the path can be entered for a AXIS2 configuration file. Does that mean the BODS 4.2 NTLM can?
  Can someone to make a reliable statement?
  By other means we have to start an experiment which has failed miserably!
  Kind regards
  Christoph Koch

  Hi,
  I am in a similar situation.
  I am able to successfully invoke the webservice via soapUI when I pass the username, password and the domain.
  If I do not pass the domain name in the SOAPUI or even in SOA, I get HTTP 401, Unauthorized error. 
  However, I am able to set only the
  oracle.webservices.auth.username a
  oracle.webservices.auth.password properties when I configure it in SOA 11g.
  I tried passing the domain name in the oracle.webservices.auth.username property as domainname\username. But no luck
  The composite is deployed on a linux server. Please suggest/advice any pointers to resolve this NTLM authentication issue.

• Negotiate Authentication Not working for Outlook

  This is a very odd situation so bear with me when explaining this.
  I have several users scattered out in different remote offices that are haveing authentication issues in outlook 2007 when trying to connect to our exchange 2010 public folder servers (CAS).  When the users open outlook it constantly sits at trying
  to connect and eventually locks the machine up until you use the task manager to close outlook.  I have only determined this is a public folder issue because if you hold down the cntrl key and right click on the outlook icon in the taskbar (next to clock) you
  get and option to see connection status.  This shows the server name (one of the CAS) and the type as public folder and the connection status is empty. 
  We opened a microsoft ticket on this and they said it was a client side issue because we have 1700 users connection to the same set of servers with out issues.  Well we have reimaged the users desktop, replaced all cableing from the user to the switch,
  and confirmed the IOS on the routers matches other offices that are working.   Still the same problem.
  Heres the kicker!  This problem does not effect other users in the same office and if this paticular user logs into another machine the same problem happens.  But if she accesses her mailbox from Web Access she has no problems and if I log this
  user on here at our home office on the same LAN as the Exchange system she has no issues.
  But wait theres more.  We have deleted the user's mailbox and LAN account.  Created a new mailbox and LAN account with a similar name not the same one and when I log on to her machine exacte same issue.  I have removed all antivirus software
  from the machine and still have the same problem.  
  Not until we ran wireshark on her machine did I start seeing some ntlm authentication issues to the exchange system. We manually changed outlook from Negotiate Authentication to  Password Authenticatoin (NTLM) and viola her email started syncing??? 
  When i change this setting on the other users they connect also. But why are we not haveing to change this on the other 1700 users?
  Can anyone please offer some insite in to what the hell is causing this and why it seem to follow the user around.  I have been troubleshooting this for weeks and am so frustrated because it just doesnt make any sense. 
  Thankyou to anyone willing to provide any ideas into what could be causing this.  When we opened a Microsoft ticket they were convinced that its client side but I have replaced everything.

  Hello,
  if you using OAW (Outlook AnyWhere) check the authentication method
  get-OutlookAnywhere -Identity "<Servername>xpv00645\RPC (Default Web Site)" | fl *AuthenticationMethod*
  I think it is set of NTLM or Negotiate.
  Outlook 2007 has negotiate
  problems at an OAW connection
  authentication.
  Change the authentication to NTLM for
  the internal and Basic for the extenal method.
  You need to reconfigure the Outlook Exhange settings to anonymous authentication and in the proxy settings to default authentication

• Issue using Flash IDE with Mac OS and Windows Web Service using NTLM authentication?

  I have an existing application that I developed on a Windows machine using CS5.  It uses a local intranet web service written in .NET using NTLM authentication.  The web service does multiple things such as read data from an SQL database, provide the user's username, and test for write/read access to a local company fileshare.  When my company upgraded, I went to a Mac with Flash CC which is great.  However, Mac's don't handle HTTP Authorization Challenge Blocks like Windows machines.  In Safari, Chrome, etc. it will pop up a little username and password box and proceed on without issue.  The issue is in Flash development.  When running the exact same application in Flash testing all script access fails with HTTP Status 401 errors.  I have searched the AS3 documentation, but the only thing built in to handle http challenge requests is in AIR not Flash.  The server admin's and I have tried all method's of cross domain policy files and access changes with no luck at all.  Does anyone have a solution to this issue?

  Did you check Apple Support Boot Camp article?
  iMac displays a black screen during installation of Windows 7
  http://www.apple.com/support/bootcamp/
  Installation Guide
  Instructions for all features and settings.
  Boot Camp FAQGet answers to commonly asked Boot Camp questions.
  Windows 7 FAQAnswers to commonly asked Windows 7 questions.

• How to do HTTP getRequest() with windows NTLM authentication from OBPM..??

  Hello All,
  Please share your expert ideas how me can do HTTP getRequest() with windows NTLM authentication from OBPM..??
  I am not sure even whether its possible or not, if not what could be the alternative way to do integration with MS SharePoint ??
  Version : Oracle BPM v 10.3.1
  Cheers
  Parveen Jaswal

  You are only as secure as web browsing to the LogMeIn website is (which appears to use HTTPS). If your login on that site is compromised, they will have a list of your computers that they can attempt to connect to. As long as you don't save the login credentials, they would then also need to know what username and password to use to connect to the computer. Granted, a little social engineering, and they could probably get some good ideas what to try for those, but if you chose to make your computers secure with complex and hard to guess passwords then it should be fine.
  I've been using LogMeIn from my Mac to my mom's Windows XP system from July 2009, and to my wife's Thinkpad running Win 7 since Oct 2009. None of the computers involved have had any security issues at all, let alone any caused by LogMeIn. For my wife's PC, it sits behind our NAT Firewall in our LinkSys Router (although I did have it behind a CheckPoint VPN Edge router for a while). My Mom's PC sits behind a Netgear Router providing its NAT Firewall. When my Mac isn't at home, it's generally behind that CheckPoint VPN router at my office now. It all works nicely from behind one router to behind another. The Piece that you install on the PC will log it into the LogMeIN website and that is how it gets through the router to the PC. You login to the website, select the PC to control, then login to that PC.

• How to solve this problem? '' can not activate cellular data network failure'' authenticating PDP  from already thank you

  how to solve this problem? '' can not activate cellular data network failure'' authenticating PDP  from already thank you

  What does this have to do with using an iPhone in an enterprise environment?
  What carrier are you using and where did you get the phone?

• ClassNotFound error when loading applet from a NTLM authenticated  site

  Hi,
  I wrote a Java applet and put it into a JAR file and signed the JAR file. It works fine if the user doesn't need to be authenticated. However, when I place the same JAR to a site that uses NTLM (NT challenging) authentication. The applet failed to load and returns ClassNotFound exception. Does anyone know why?
  The following is the complete error message:
  java.io.IOException: Server returned HTTP response code: 401 for URL: http://unibox.MySite.com/fileupload/FileUpload.jar
       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:697)
       at sun.plugin.net.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:369)
       at sun.net.www.protocol.http.HttpURLConnection.getHeaderFields(HttpURLConnection.java:1139)
       at sun.plugin.net.protocol.http.HttpURLConnection.checkCookieHeader(HttpURLConnection.java:330)
       at sun.plugin.net.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:367)
       at sun.plugin.net.protocol.http.HttpUtils.followRedirects(HttpUtils.java:39)
       at sun.plugin.cache.CachedJarLoader.download(CachedJarLoader.java:311)
       at sun.plugin.cache.CachedJarLoader.load(CachedJarLoader.java:131)
       at sun.plugin.cache.JarCache.get(JarCache.java:177)
       at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(CachedJarURLConnection.java:71)
       at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(CachedJarURLConnection.java:56)
       at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:498)
       at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:459)
       at sun.misc.URLClassPath$2.run(URLClassPath.java:255)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.misc.URLClassPath.getLoader(URLClassPath.java:244)
       at sun.misc.URLClassPath.getLoader(URLClassPath.java:221)
       at sun.misc.URLClassPath.getResource(URLClassPath.java:134)
       at java.net.URLClassLoader$1.run(URLClassLoader.java:190)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(URLClassLoader.java:186)
       at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:132)
       at sun.plugin.security.PluginClassLoader.findClass(PluginClassLoader.java:189)
       at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
       at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:112)
       at java.lang.ClassLoader.loadClass(ClassLoader.java:262)
       at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:473)
       at sun.applet.AppletPanel.createApplet(AppletPanel.java:548)
       at sun.plugin.AppletViewer.createApplet(AppletViewer.java:1621)
       at sun.applet.AppletPanel.runLoader(AppletPanel.java:477)
       at sun.applet.AppletPanel.run(AppletPanel.java:290)
       at java.lang.Thread.run(Thread.java:536)
  load: class FileUpload.class not found.
  java.lang.ClassNotFoundException: FileUpload.class
       at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:151)
       at sun.plugin.security.PluginClassLoader.findClass(PluginClassLoader.java:189)
       at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
       at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:112)
       at java.lang.ClassLoader.loadClass(ClassLoader.java:262)
       at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:478)
       at sun.applet.AppletPanel.createApplet(AppletPanel.java:548)
       at sun.plugin.AppletViewer.createApplet(AppletViewer.java:1621)
       at sun.applet.AppletPanel.runLoader(AppletPanel.java:477)
       at sun.applet.AppletPanel.run(AppletPanel.java:290)
       at java.lang.Thread.run(Thread.java:536)
  Caused by: java.io.IOException: open HTTP connection failed.
       at sun.applet.AppletClassLoader.getBytes(AppletClassLoader.java:224)
       at sun.applet.AppletClassLoader.access$100(AppletClassLoader.java:40)
       at sun.applet.AppletClassLoader$1.run(AppletClassLoader.java:141)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:138)
       ... 10 more

  It appears that the latest jvm plugins use java to get the archive files instead of using the browser to download the archive files.
  In addition sun does not support NTLM authentication, because of this the latest jvms are unable to download the jar file containing the applet.
  I have been working on finding a way to replace suns http Handler, but have had no luck with setting the java.protocol.handler.pkgs for the plugin and having it retain the setting.
  I have achieved partial results using the appletviewer with -J-Djava.protocol.handler=com.nogoop
  you might try taking a look at http://www.nogoop.com

• Multiple security audit failures a second

  A client's SBS 2011 machine is experiencing multiple audit failures a second and we believe it is diminishing the performance of the machine. We can't seem to find the source or how to remedy the issue. It its happening way too fast to be a human trying
  to login. 
  Keywords Date and Time Source Event ID Task Category
  Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4905 Audit Policy Change "An attempt was made to unregister a security event source.
  Subject
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: <ommited from forum post>
  Logon ID: 0x3e7
  Process:
  Process ID: 0x10d4
  Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name: ServiceModel 4.0.0.0
  Event Source ID: 0x262070f0"
  Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4904 Audit Policy Change "An attempt was made to register a security event source.
  Subject :
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: < ommited from forum post >
  Logon ID: 0x3e7
  Process:
  Process ID: 0x10d4
  Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name: ServiceModel 4.0.0.0
  Event Source ID: 0x262070f0"
  Audit Failure 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4625 Logon "An account failed to log on.
  Subject:
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: <ommited from forum post>
  Logon ID: 0x3e7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name:
  Account Domain:
  Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xc000006d
  Sub Status: 0xc0000064
  Process Information:
  Caller Process ID: 0x24c
  Caller Process Name: C:\Windows\System32\lsass.exe
  Network Information:
  Workstation Name: SBS
  Source Network Address: -
  Source Port: -
  Detailed Authentication Information:
  Logon Process: Schannel
  Authentication Package: Kerberos
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  Subject
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Process:
  Process ID:
  0x131c
  Process Name:
  C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name:
  ServiceModel 4.0.0.0
  Event Source ID:
  0x26206ef4"
  Audit Success 6/18/2014 1:50:32 PM
  Microsoft-Windows-Security-Auditing
  4904 Audit Policy Change
  "An attempt was made to register a security event source.
  Subject :
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Process:
  Process ID:
  0x131c
  Process Name:
  C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name:
  ServiceModel 4.0.0.0
  Event Source ID:
  0x26206ef4"
  Audit Failure 6/18/2014 1:50:32 PM
  Microsoft-Windows-Security-Auditing
  4625 Logon
  "An account failed to log on.
  Subject:
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID:
  NULL SID
  Account Name:
  Account Domain:
  Failure Information:
  Failure Reason:
  Unknown user name or bad password.
  Status:
  0xc000006d
  Sub Status:
  0xc0000064
  Process Information:
  Caller Process ID:
  0x24c
  Caller Process Name:
  C:\Windows\System32\lsass.exe
  Network Information:
  Workstation Name:
  SBS
  Source Network Address:
  Source Port:
  Detailed Authentication Information:
  Logon Process:
  Schannel
  Authentication Package:
  Kerberos
  Transited Services:
  Package Name (NTLM only):
  Key Length:
  0
  Jerry T

  Hi Jerry,
  Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. This is usually
  related to share folders, printers, IIS and so on.
  Would you please let me confirm whether you had installed some third-party applications?
  Meanwhile, please refer to Robert’s suggestion in the following similar thread and check if can help you.
  Audit
  Failure - Event 4625
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• An account failed to log on unknown username or password. Causing Login audit failures

  I have a SBS11 Essentials server that is getting audit Failures over and over again. There computer account says it's the SBS11 server it's self.  It says unknown user name or bad password. I have checked for scheduled tasks, backup jobs, services and
  non of them are using any special user accounts.  I have used MS network monitor and can't find anything helpful to lead to the issue.  All computers in the network are running Windows 7.  The domain functional level is 2008 R2.
  I get a the 4768 event ID about a Kerberos event and then just after I get a Event ID 4625 account failure with Logon Type 3.  I have includes the events below.  I need to figure what is causing the audit failures as my GFI Test Hacker alert is
  catching it every morning.  Disabling the Test Hacker alert is not a option.  I have used Process Explorer also but can't seem to pin it down.  I also enabled Kerberos logging.
  http://support.microsoft.com/kb/262177?wa=wsignin1.0.  All event codes state its a unknown or no existing account but how do I stop it from happening?
  This is from the System Event log
  A Kerberos Error Message was received:
  on logon session TH.LOCAL\thsbs11e$
  Client Time:
  Server Time: 14:59:53.0000 3/4/2014 Z
  Error Code: 0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN
  Extended Error:
  Client Realm:
  Client Name:
  Server Realm: TH.LOCAL
  Server Name: krbtgt/TH.LOCAL
  Target Name: krbtgt/[email protected]
  Error Text:
  File: e
  Line: 9fe
  Error Data is in record data.
  This is from the Security Event log
  A Kerberos authentication ticket (TGT) was requested.
  Account Information:
  Account Name: S-1-5-21-687067891-4024245798-968362083-1000
  Supplied Realm Name: TH.LOCAL
  User ID: NULL SID
  Service Information:
  Service Name: krbtgt/TH.LOCAL
  Service ID: NULL SID
  Network Information:
  Client Address: ::1
  Client Port: 0
  Additional Information:
  Ticket Options: 0x40810010
  Result Code: 0x6
  Ticket Encryption Type: 0xffffffff
  Pre-Authentication Type: -
  Certificate Information:
  Certificate Issuer Name:
  Certificate Serial Number:
  Certificate Thumbprint:
  Certificate information is only provided if a certificate was used for pre-authentication.
  Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
  I then get teh following error in the next event
  An account failed to log on.
  Subject:
  Security ID: SYSTEM
  Account Name: THSBS11E$
  Account Domain: TH
  Logon ID: 0x3e7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name:
  Account Domain:
  Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xc000006d
  Sub Status: 0xc0000064
  Process Information:
  Caller Process ID: 0x25c
  Caller Process Name: C:\Windows\System32\lsass.exe
  Network Information:
  Workstation Name: THSBS11E
  Source Network Address: -
  Source Port: -
  Detailed Authentication Information:
  Logon Process: Schannel
  Authentication Package: Kerberos
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

  Well I opened the case for him and he never followed up with Microsoft :-(
  It's a kerberos issue, we're told to ignore it.  Would you be willing to be patient and stubborn and work with CSS to at least understand what's going on better?  I can tell you it's normal with Essentials but not the exact technical reason it's
  happening.
  Unfortunately TechNet isn't coming back, sorry folks :-(

• Event ID 6038 LsaSrv NTLM authentication warning

  Searching the internets we haven't found any other references to this particular Event ID Warning message. 
  It's likely new in Windows Server 2012, we are part of an Active Directory that is at Forest Functional Level:
   Windows Server 2008, but out Child Domain is at Domain Functional Level:
   Windows Server 2012 (3 Domain Controllers in our Child Domain). 
  Clicking on the URL in the Description of the Event ID just link to a ‘Windows Server Future Resources’ placeholder page. 
  The full Event ID is pasted in below.
  We would like to know how to complete these checks, and if possible, raise our NTLM Authentication to Kerberos. 
  How are these tasks accomplished on Windows Server 2012 Domain Controllers? 
  Thanks in advance for any help! 
  Log Name:      System
  Source:        LsaSrv
  Date:         
  12/27/2012 6:00:01 PM
  Event ID:      6038
  Task Category: None
  Level:        
  Warning
  Keywords:      Classic
  User:         
  N/A
  Computer:      <server
  FQDN>
  Description:
  Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
  NTLM is a weaker authentication mechanism. Please check: 
        Which applications are using NTLM authentication?
        Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
        If NTLM must be supported, is Extended Protection configured? 
  Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.

  Thank you for your reply, your links above address Kerberos vs. NTLM specifically for IIS.
  I did more digging and found this TechNet link that deals with Kerberos vs. NTLM for Domain Controllers. 
  It looks to be the best/only article I can find from Microsoft on how to audit NTLM usage, and eventually get to the point of using the group policy settings - Network Security: Restrict NTLM. 
  So until they update/activate the URL in the 6038 Event ID description to something better/more concise, this TechNet link will have to do: 
  Auditing and restricting NTLM usage guide
  http://technet.microsoft.com/en-us/library/jj865674(v=ws.10).aspx
  Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
  This guide for the IT professional introduces the steps required to reduce NTLM usage in your environment by using available tools and the restrict NTLM audit and blocking policies, which were introduced in the Windows Server 2008 R2 and Windows 7 operating
  systems.
  With the advent of more secure authentication protocols, such as Kerberos, industry requests for the ability to better manage the NTLM protocol in their environments have increased. Reducing the usage of the NTLM protocol in an IT environment requires both
  the knowledge of deployed application requirements on NTLM and the strategies and steps necessary to configure computing environments to use other protocols. New tools and settings have been added to help you discover how NTLM is used in order to selectively
  restrict NTLM traffic.
  This guide only addresses how to collect and analyze events by using functionality found in the Windows operating environment.