IT tutorials
 
Windows
 

Windows 7 : How to Troubleshoot Authentication Issues (part 2) - How to Use Auditing to Troubleshoot Authentication Problems

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
1/2/2014 3:17:55 AM

2. How to Use Auditing to Troubleshoot Authentication Problems

By default, Windows 7 does not add an event to the event log when a user provides incorrect credentials (such as when a user mistypes a password). Therefore, when troubleshooting authentication problems, your first step should be to enable auditing for logon events so that you can gather more information about the credentials the user provided and the resource being accessed.

Windows 7 (and earlier versions of Windows) provides two separate authentication auditing policies:

  • Audit Logon Events This policy audits authentication attempts for local resources, such as a user logging on locally, elevating privileges using a UAC prompt, or connecting over the network (including connecting using Remote Desktop or connecting to a shared folder). All authentication attempts will be audited, regardless of whether the authentication attempt uses a domain account or a local user account.

  • Audit Account Logon Events This policy audits domain authentications. No matter which computer the user authenticates to, these events appear only on the domain controller that handled the authentication request. Typically, you do not need to enable auditing of account logon events when troubleshooting authentication issues on computers running Windows 7. However, successful auditing of these events is enabled for domain controllers by default.

To log failed authentication attempts, you must enable auditing by following these steps:

  1. Click Start and then click Control Panel. Click System And Security. Click Administrative Tools, and then double-click Local Security Policy.

  2. In the Local Security Policy console, expand Local Policies, and then select Audit Policy.

  3. In the right pane, double-click Audit Logon Events.

  4. In the Audit Logon Events Properties dialog box, select the Failure check box to add an event to the Security event log each time a user provides invalid credentials. If you also want to log successful authentication attempts (which include authentication attempts from services and other nonuser entities), select the Success check box.

  5. Click OK.

  6. Restart your computer to apply the changes.

With auditing enabled, you can view audit events in Event Viewer by following these steps:

  1. Click Start, right-click Computer, and then click Manage.

  2. Expand System Tools, Event Viewer, Windows Logs, and then select Security.

    Event Viewer displays all security events. To view only successful logons, click the Filter Current Log link in the Actions pane and show only Event ID 4624. To view only unsuccessful logon attempts, click the Filter Current Log link and show only Event ID 4625.

Figure 3 shows an example of a logon audit failure that occurred when the user provided invalid credentials at a UAC prompt. Notice that the Caller Process Name (listed under Process Information) is Consent.exe, the UAC process.

A logon audit failure caused by invalid credentials

Figure 3. A logon audit failure caused by invalid credentials

Audits from failed authentication attempts from across the network resemble the following code. In particular, the Account Name, Account Domain, Workstation Name, and Source Network Address are useful for identifying the origin computer.

An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: baduser
Account Domain: NWTRADERS
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: CONTOSO-DC
Source Network Address: 192.168.1.212
Source Port: 4953
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

When you are authenticating to network resources, authentication failures are always logged on the server, not on the client. For example, if you attempt to connect to a shared folder and you mistype the password, the event won't appear in your local event log—it appears instead in the event log of the computer sharing the folder.

Note

DON'T TRUST THE REPORTED COMPUTER NAME

The computer sending the authentication attempt communicates its own workstation name. Therefore, if the attack is malicious, the workstation name might be intentionally invalid. The Internet Protocol (IP) address should always be correct, however.

 
Others
 
- Windows 7 : How to Troubleshoot Authentication Issues (part 1) - Identifying Logon Restrictions
- Windows 7 : Authenticating Users - How to Use Credential Manager
- Windows 7 : Changing the Default Connection, Managing Multiple Internet Connections
- Windows 7 : Configuring a High-Speed Connection (part 2) - Setting Up a Fixed IP Address
- Windows 7 : Configuring a High-Speed Connection (part 1) - Configuring a PPPoE Broadband Connection, Setting Up Dynamic IP Addressing
- Windows 7 : Installing a Network Adapter for Broadband Service
- Windows Server 2008 : Understanding Group Policy Settings (part 2) - Deploying Applications
- Windows Server 2008 : Understanding Group Policy Settings (part 1) - Enabling Auditing Through Group Policy
- Windows Server 2008 : Filtering GPOs by Modifying Permissions
- Windows Server 2008 : Launching the Group Policy Management Console, Understanding Group Policy Order of Precedence
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
Celebrity Style, Fashion Trends, Beauty and Makeup Tips.