Jump to content

Schannel errors for SID S-1-0-0


silnocus
 Share

Recommended Posts

We're getting many thousands of these errors in the event logs on our RA server, running the latest version of the server (6.4.295.0) on Windows Server 2012 R2.

An account failed to log on.

Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		S-1-0-0
	Account Name:		
	Account Domain:		

Failure Information:
	Failure Reason:		An Error occured during Logon.
	Status:			0xC000006D
	Sub Status:		0x80090325

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	-
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		Schannel
	Authentication Package:	Schannel
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

 

I'm hitting a wall on where these could be coming from. The event log entry itself isn't very useful. Is there any process that any ESET product uses that uses the SID from this event?

 

I've done a little testing and the errors stop when I stop the ESET Remote Administrator Service, as well.

Edited by silnocus
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...