question

aleksein avatar image
0 Votes"
aleksein asked aleksein answered

Hyper-v issue Event ID4625. Hype-v Cluster.

Hello all.

I have an issue with event id 4625. Hope you can help me to fix it.
I have a Hyper V Cluster whit 6 hosts(2016). On several of my hosts every day I am found alert "Security-Event ID: 4625".
Sometimes the "Source Network Address:" is one of my nodes, and sometimes null.

Example:
Problem started at 19:30:14 on 2021.10.16
Problem name: Event ID4625 alert - Logon Failure
Severity: High
Operational data: An account failed to log on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name:
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0x80090308
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: X.X.X.X (IP address one off nodes from the cluster)
Source Port: 54096
Detailed Authentication Information:
Logon Process:
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

BR
Aleksei

windows-server-hyper-v
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello Aleksein

This error occurs when an account has been locked out and the logon is unsuccessfull: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

About the logon type:

Logon type 3: Network. A user or computer logged on to this computer from the network.

The description of this logon type clearly states that the event logged when somebody accesses a computer from the network. Commonly it appears when connecting to shared resources (shared folders, printers etc.). As we learned in the previous post, the connection with logon type = 3 could be established even from a local computer.

From the looks of it, you may have an account that is locked out, but at the same time is configured to connect to some network resources. To find the locked accounts (and audit them) you can follow the next article that explains how to achieve it through Powershell:

https://devblogs.microsoft.com/scripting/use-powershell-to-find-locked-out-user-accounts/



--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

aleksein avatar image
0 Votes"
aleksein answered

Thank you for your answer!

The problem is, that this is a private network, only cluster-servers (hyper-v, domain controllers, backup-server one admin server) are friends on this VLAN.

On this error I see - "Source Network Address: One of my cluster-membres".
I don't understand why is the host003 trying to login to the host001 without a username.

BR
Aleksei

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.