Because connections in Windows 2000 are authenticated, you need to understand how to read logon events. The purpose of this section is to explain the different variables that make up a logon event.
Microsoft Windows NT includes only one audit category for logon and logoff. Windows 2000 introduces a second. The two categories—Logon/Logoff and Account Logon—are explained in the following sections.
This event category, available in all versions of Windows NT and Windows 2000, indicates that an account logged on or off or made a network connection to the computer. In other words, the audit event is triggered on the computer where the logon occurs. The Logon/Logoff category is important because it provides the most information when using IIS, SQL Server, and COM+.
The most significant events in the Logon/Logoff category are
The following sections show these events, and Table 11-3 explains each of the fields in the events.
Logon/Logoff event 529 (logon failure)
Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 9/3/1999 Time: 8:57:21 PM User: NT AUTHORITY\SYSTEM Computer: CHERYL-LAPTOP Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: CHERYL-LAPTOP Logon Type: 2 Logon Process: seclogon Authentication Package: Negotiate Workstation Name: CHERYL-LAPTOP |
Logon/Logoff event 528 (logon success) and Logon/Logoff event 540 (network logon success)
Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 1/23/2000 Time: 5:41:39 PM User: EXAIR\Cheryl Computer: CHERYL-LAPTOP Description: Successful Network Logon: User Name: cheryl Domain: EXAIR Logon ID: (0x0,0x17872A8) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: |
Table 11-3. Success and failure logon fields.
Field | Comments |
---|---|
Event Type, Source, Category, and ID; Date; and Time | All self-explanatory. |
User | The user account performing the logon. For example, this might be NT AUTHORITY\SYSTEM, which is the LocalSystem account used to start many Windows 2000 services. |
Computer | The computer on which the event occurred. |
Reason | Applies to logon failures only; it's the reason the account failed to log on. |
User Name | The name of the user account attempting to log on. |
Domain | The domain of the user account attempting to log on. |
Logon Type | A numeric value indicating the type of logon attempted. Possible values are
|
Logon Process | The process performing the logon. The following are some example logon processes:
|
Authentication Package | The security package called to attempt to log on the account. An authentication package is a dynamic-link library (DLL) that analyzes logon data and determines whether to authenticate an account. Most common examples are
|
Workstation Name | Workstation name, if known, used by the principal during logon. |
This event category indicates that an account logged on or off and that the computer was used to validate the account. In this case, the audit event is triggered on the computer where the account resides. Many Kerberos-related events, such as ticket issuing, are logged when this audit category is enabled.
The following sections show two often-seen account logon failure events.
Account Logon event 676 (logon failure): Authentication Ticket Request Failed
Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 676 Date: 5/11/2000 Time: 8:47:01 PM User: NT AUTHORITY\SYSTEM Computer: DBSERVER Description: Authentication Ticket Request Failed: User Name: Major Supplied Realm Name: EXPLORATIONAIR.COM Service Name: krbtgt/EXPLORATIONAIR.COM Ticket Options: 0x40810010 Failure Code: 6 Client Address: 172.100.100.12 |
NOTE
What is the NT AUTHORITY\SYSTEM account? This account is usually referred to as LocalSystem; it's the account under which most services run. You'll see many references to this account in the Security Event Log.
Event 676 signifies that Major could not get an initial ticket granting ticket (TGT) from the Key Distribution Center (KDC). The most important part of the event is the failure code. These codes are the same as the MIT Kerberos codes. Table 11-4 describes some of the most common failure codes; a full list can be found in the main Kerberos Request For Comments: RFC 1510.
Table 11-4. Some common Kerberos failure codes.
Failure Code | Comments |
---|---|
6 | Client not found in the Kerberos database. |
7 | Server not found in the Kerberos database. This generally indicates a service principal name (SPN) has not been registered for the service. |
23 | Password has expired. |
32 | Ticket has expired. |
33 | Ticket not yet valid. |
34 | Request is a replay. Someone is trying to play back a Kerberos client's response; you are possibly being attacked. |
37 | Clock skew too great. Kerberos is time-critical; make sure all clocks are synchronized. |
Account Logon event 681 (logon failure) with a large number for the error code
You might sometimes see an error like the following. The problem is that the error code is virtually useless.
Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 681 Date: 5/11/2000 Time: 8:47:01 PM User: NT AUTHORITY\SYSTEM Computer: DBSERVER Description: The logon to account: Major by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: WEBSERVER failed. The error code was: 3221225572 |
Table 11-5 describes some of the more common error codes.
Table 11-5. Example Account Logon error codes.
Error Code (Decimal) | Error Code (Hex) | Comments |
---|---|---|
3221225572 | 0xC0000064 | The specified user does not exist. |
3221225570 | 0xC0000062 | The name provided is not a properly formed account name. |
3221225569 | 0xC0000061 | A required privilege is not held by the client. |
3221225578 | 0xC000006A | When trying to update a password, this return status indicates that the value provided as the current password is not correct. |
3221225580 | 0xC000006C | When trying to update a password, this status indicates that some password update rule has been violated. For example, the password might not meet length criteria. |
3221225585 | 0xC0000071 | The user account's password has expired. |
3221225586 | 0xC0000072 | The referenced account is currently disabled. |
If you correlate the previous two security failure events—Major's request for an initial TGT failing with error 6 (Client not found in the Kerberos database) when he attempted to log on and a generic logon failure occurring with error 3221225572 (The specified user does not exist)—it's plain to see what the error is: Major isn't a valid account!
Now let's look at the next most important log type: the IIS log.