none
Kerberos Event Id 532 failure audit RRS feed

  • Question

  • Hi There

    I got a Domain Admin recently left the job and his account was disabled. Since i disabled his account i keep getting Failure Audit Event Id 532 in Security event in number of webservers.

    Event Id error on the Webserver:

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 532
    Date:  7/10/2012
    Time:  2:38:12 PM
    User:  NT AUTHORITY\SYSTEM
    Computer: SERVERWEB2
    Description:
    Logon Failure:
      Reason:  The specified user account has expired
      User Name: 
      Domain:  
      Logon Type: 3
      Logon Process: Authz  
      Authentication Package: Kerberos
      Workstation Name: SERVERWEB2
      Caller User Name: SERVERWEB2$
      Caller Domain: DOMAINNAME
      Caller Logon ID: (0x0,0x3E7)
      Caller Process ID: 2532
      Transited Services: -
      Source Network Address: -
      Source Port: -

    At the same time i get a DNS error in Netlogon.log on the same Webserver:

    07/10 14:38:12 [SESSION] I_NetLogonGetAuthData called: (null) DOMAINNAME (Flags 0x1) 
    07/10 14:38:12 [MISC] DsGetDcName function called: Dom:DNS.DOMAIN.NAME Acct:(null) Flags: DS RET_DNS
    07/10 14:38:12 [MISC] NetpDcGetName: DNS.DOMAIN.NAME using cached information
    07/10 14:38:12 [MISC] DsGetDcName function returns 0: Dom:DOMAIN NAME Acct:(null) Flags: DS RET_DNS

    At the same time i get Audit Failure Event id 4769 in Security Event in the Active Directory:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          7/10/2012 2:38:12 PM
    Event ID:      4769
    Task Category: Kerberos Service Ticket Operations
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      ActiveDirectory2.DNS.DOMAIN.NAME
    Description:
    A Kerberos service ticket was requested.

    Account Information:
     Account Name:  SERVERWEB2$@dns.domain.name
     Account Domain:  DNS.DOMAIN.NAME
     Logon GUID:  {00000000-0000-0000-0000-000000000000}

    Service Information:
     Service Name:  host/serverweb2.dns.domain.name
     Service ID:  NULL SID

    Network Information:
    Client Address:  192.168.101.11
    Client Port:  1681

    Additional Information:
     Ticket Options:  0x40810000
     Ticket Encryption Type: 0xffffffff
     Failure Code:  0x12
     Transited Services: -

    This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

    This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

    Ticket options, encryption types, and failure codes are defined in RFC 4120.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4769</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>14337</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2012-07-10T18:38:12.634632200Z" />
        <EventRecordID>859551364</EventRecordID>
        <Correlation />
        <Execution ProcessID="476" ThreadID="3252" />
        <Channel>Security</Channel>
        <Computer>ActiveDirectory2.dns.domain.name</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="TargetUserName">SERVERWEB2$@dns.domain.name</Data>
        <Data Name="TargetDomainName">dns.domain.name</Data>
        <Data Name="ServiceName">host/serverweb2.dns.domain.name</Data>
        <Data Name="ServiceSid">S-1-0-0</Data>
        <Data Name="TicketOptions">0x40810000</Data>
        <Data Name="TicketEncryptionType">0xffffffff</Data>
        <Data Name="IpAddress">192.168.101.11</Data>
        <Data Name="IpPort">1681</Data>
        <Data Name="Status">0x12</Data>
        <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
        <Data Name="TransmittedServices">-</Data>
      </EventData>
    </Event>

     

    What i did till now:

    1. If i enable the User account of the ex-employee all this logs are cleared.

    2. Removed and rejoined the server from the domian, still i got issues.

    3. If i disable WMI service on the Webserver all the logs disappear.

     Any ideas to fix the issue.

    Sarath

    • Moved by Mike Kinsman Wednesday, July 11, 2012 1:14 PM off topic (From:TechNet Website Feedback)
    Wednesday, July 11, 2012 1:06 PM

All replies