cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Stephan_R
Engaged Sweeper II

Hi all,

since some time (i don't know exactly since when - maybe since the update to v10.2.4.0) LanSweeper is spamming failed logon events (4625) in our security event logs on all our domain controllers.

here is an example event (removed IPs / hostnames)

 

 

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
  <EventID>4625</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>12544</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8010000000000000</Keywords> 
  <TimeCreated SystemTime="2022-11-22T15:16:54.207895700Z" /> 
  <EventRecordID>453580707</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="720" ThreadID="6748" /> 
  <Channel>Security</Channel> 
  <Computer>...</Computer> 
  <Security /> 
 </System>
 <EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data> 
  <Data Name="SubjectUserName">...</Data> 
  <Data Name="SubjectDomainName">...</Data> 
  <Data Name="SubjectLogonId">0x3e7</Data> 
  <Data Name="TargetUserSid">S-1-0-0</Data> 
  <Data Name="TargetUserName" /> 
  <Data Name="TargetDomainName" /> 
  <Data Name="Status">0xc000006d</Data> 
  <Data Name="FailureReason">%%2313</Data> 
  <Data Name="SubStatus">0xc0000064</Data> 
  <Data Name="LogonType">3</Data> 
  <Data Name="LogonProcessName">Schannel</Data> 
  <Data Name="AuthenticationPackageName">Kerberos</Data> 
  <Data Name="WorkstationName">...</Data> 
  <Data Name="TransmittedServices">-</Data> 
  <Data Name="LmPackageName">-</Data> 
  <Data Name="KeyLength">0</Data> 
  <Data Name="ProcessId">0x2d0</Data> 
  <Data Name="ProcessName">C:\Windows\System32\lsass.exe</Data> 
  <Data Name="IpAddress">...</Data> 
  <Data Name="IpPort">58937</Data> 
 </EventData>
</Event>

 

 

It looks like that this event comes up for every asset scan which was performed and it's always the same status "unknown username or password" for target user SID "S-1-0-0"

I already checked all of our windows credentials and the mapping in LanSweeper but they are fine and didn't changed at all (and also working for auditing our windows assets)
I think there is something else going wrong because of the strange target user SID.

Maybe someone know how to stop or fix these logon attamps from the LanSweeper scanning service or had the same issue?

Thanks a lot and kind Regards,
Stephan

7 REPLIES 7
martinb1
Engaged Sweeper

Hi Stephan, 

I see the same behaviour on my DCs after switching over to LDAPS. Did you ever find a solution for it? 

Additionally I can log these failed Kerberos authentication attempts from the Lansweeper server, which are showing a bit before the event you posted. You can see here, that an authentication attempt is made with the account name: "host" , looks like a broken variable to me. Of course this authentication attempt results in a user unknown response.

Screenshot 2023-08-09 090344.pngRegards,

Martin

Stephan_R
Engaged Sweeper II

Hi Martin,

unfortunately I still have no solution for this issue, even the lansweeper support couldn't fix it after some troubleshooting. My support ticket was closed because it wasn't reproducable in the lab.
I still use lansweeper with a LDAP (non-secure) connection to workaround this issue.

Regards,
Stephan

Stephan_R
Engaged Sweeper II

update: I contacted the lansweeper support and they figured out that the usage of LDAPS was the issue. Switching back to LDAP instead of LDAPS (in Scanning -> Scanning targets -> On-Premises Active Directory Scanning Options -> LDAP(S) ) fixed the issue for now.

They currently try to reproduce this issue on a lab to provide a fix

Tim_N
Lansweeper Employee
Lansweeper Employee

Stephan_R, I wonder if this was recently fixed with the update of 10.4.1.0. 

Lansweeper Changelog - Lansweeper.com

There's something similar listed there as LAN-14431. Try upgrading to this version and see if that helps you out. 

Please keep us posted how it goes.

Tim N.
Lansweeper Employee
Stephan_R
Engaged Sweeper II

Hi Tim_N, thank you for the hint.

I've updated and tested with LDAPS again right now, but unfortunately I still have the same issue.

Kind Regards,
Stephan

ErikT
Lansweeper Tech Support
Lansweeper Tech Support

@Stephan_R, if the issue isn't fixed after upgrading, I would recommend reaching out to our support team again. 

Stephan_R
Engaged Sweeper II

the issue couln't be reproduced in the test lab from Lansweeper support.
So this issue still persists in my environment, as soon as I endable LDAPS in LanSweeper

Any hints for troubleshooting or a Workaround (except switch to LDAP non-secure 😉 ) is welcome

Kind Regards,
Stephan