Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)

This section contains an overview of general authentication troubleshooting tools—“general” meaning not related to specific authentication protocols. We will discuss authentication-related event logging and netlogon logging.

4.9.1 Authentication-related event logging

Windows auditing includes the following authentication-related event categories:

Enabling auditing for the above event categories can be of great use when troubleshooting Windows authentication problems. This section covers only an introduction to authentication-related event logging: We will come back to Windows auditing in more detail in Chapter 18.

When auditing is enabled for logon events, your event logs will contain entries similar to the ones shown in Figures 4.13 and 4.14. Figure 4.13 shows the event details for a successful logon event. Figure 4.14 shows the event details for a logon failure event. Table 4.7 shows all the event detail fields for Windows user authentication events.

Figure 4.13: Successful logon event.

Figure 4.14: Failed logon event.

Table 4.7: Logon Process Field Values

Event Detail Field Name

Description

Date

The date on which the event occurred.

Time

The time at which the event occurred.

User

The user account performing the logon event.

Computer

The account name of the computer on which the event occurred.

Event ID

The identifier for the event. For an overview of Windows 2000 event IDs (still applicable to Windows Server 2003), see the Microsoft articles on “Security Event Descriptions” Parts 1 and 2 (Knowledge Base articles Q299475 and Q301677).

Source

The source of the event.

Type

The type of event: successful (Success Audit) or failure (Failure Audit).

Category

The category of the event.

Description

A short description of the event. This field holds the following user authentication-related information:

Reason

An explanation of why the authentication failed (applies only to authentication failures).

User Name

The name of the user account that tried to log on.

Domain

The NT domain of the user account that tried to log on.

Logon ID

The unique identifier for a logon session.

Logon Type

A numeric value that indicates the NT logon type.

Logon Process

The name of the process that performed the logon.

Authentication Package

The name of the authentication package used for the logon.

Workstation Name

The account name of the workstation that the user account used for the logon event.

Table 4.8 shows the most important authentication-related event IDs. Table 4.9 shows the values of the Logon Type field and their meaning. The most frequently occurring Logon Type values are 2 and 3. When you see a Logon Type 2 in the Event Viewer logs, you know that somebody has logged on interactively to your machine. When you see a Logon Type 3, you know that somebody has tried to access a resource on your computer from the network. When you see a Logon Type 4, you know that the Windows Scheduler service has run a script or program in batch. When you see a Logon Type 5, you know that a Windows service has started using a specific user account.

Table 4.8: Authentication-Related Event IDs

Event ID

Meaning

514

An authentication package has been loaded by the LSA.

515

A trusted logon process has registered with the LSA.

518

A notification package has been loaded by the Security Account Manager.

528

Successful Logon.

529

Logon Failure: Unknown user name or bad password.

530

Logon Failure: Account logon time restriction violation.

531

Logon Failure: Account currently disabled.

532

Logon Failure: The specified user account has expired.

533

Logon Failure: User not allowed to log on at this computer.

534

Logon Failure: The user has not been granted the requested logon type at this machine.

535

Logon Failure: The specified account’s password has expired.

536

Logon Failure: The NetLogon component is not active.

537

Logon Failure: An unexpected error occurred during the logon process.

538

User Logoff.

539

Logon Failure: Account locked out.

540

A user successfully logged on to a network.

548

Logon Failure: The security ID (SID) from a trusted domain does not match the account domain SID of the client.

549

Logon Failure: All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests.

551

A user initiated the logoff process.

552

A user successfully logged on to a computer using explicit credentials while already logged on as a different user.

644

User Account Locked Out.

Table 4.9: Logon Type Field Values

Logon Type

Meaning

2

Interactive logon process

3

Network logon process

4

Batch logon process

5

Service logon process

6

Proxy logon process

7

Unlock workstation

8

Network cleartext logon process

9*

Newcredentials logon

10

Remote desktop (RDP) or terminal services logon process

11

Logon process using cached credentials

* This logon type means that a a security principal cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

The Logon ID field uniquely identifies a logon session on a particular machine. Because both a logon session’s logon and logoff events refer to the same Logon ID, you can use the Logon ID to find the logoff event that corresponds to a particular logon event. A logoff event has event ID 538.

The Logon Process field shows the name of the process that initiated the logon session. Table 4.10 shows some of the possible values for this field and their meaning.

Table 4.10: Logon Process Field Values

Logon Process Field Entry

Description

User32 or WinLogon\MSGina

A typical NT logon process occurred. Winlogon.exe and msgina.dll are the files that the NT authentication UI uses.

SCMgr

The NT Service Control Manager (SCM) logged on and started a service.

Advapi

An application called the LogonUser functions to initiate a logon process.

MS.RADIU

The Remote Authentication Dial-In User Service (RADIUS) initiated a logon process.

Ntlmssp

The NT LAN Manager (NTLM) authentication protocol Security Support Provider (SSP) initiated the logon process.

IIS

Microsoft IIS initiated the logon process (this situation occurs when you use anonymous access or basic authentication on the IIS level).

Kerberos

KerberosThe Kerberos authentication protocol SSP initiated the logon process.

4.9.2 Netlogon logging

The Netlogon service is one of the key LSA processes that is running on every Windows domain controller (see Chapter 2 for more information on the LSA). It plays a critical role during interactive and noninteractive logon sequences. When troubleshooting authentication problems, it can be very useful to turn on Netlogon service logging.

To turn on Netlogon logging, type the following nltest command at the command line:

nltest /dbflag:2080ffff

Enabling Netlogon logging, also requires a Netlogon service restart. You can do this using the net stop netlogon and net start netlogon commands. To disable netlogon logging type:

nltest /dbflag:0

Then again restart the Netlogon service. The Netlogon service stores its log data in a special log file called netlogon.log, which is stored in the %Windir%/debug folder.

Great tools to query the Netlogon log files are the nlparse.exe and the findstr.exe tools.

The nlparse.exe is a GUI tool that comes with the MS account lockout tools, which can be downloaded for free from the Microsoft Web site (look for altools.exe). Figure 4.15 shows the nlparse GUI: It contains the most common Netlogon error codes and their meaning. Nlparse stores the output of its queries in two files (that are both stored in the %Windir%\debug folder)—the netlogon.log-out.scv and the netlogon.log-summaryout.txt.

Figure 4.15: Using the nlparse.exe tool.

Findstr.exe is a command-line tool that is included with the default installation of Windows 2000, Windows XP, and Windows Server 2003.

You can use it to query a single or multiple Netlogon files for occurrences of a particular user account or error codes. The following command queries the netlogon.log file for occurrences of user JoeJ and stores the results of the query in the output.txt file.

Findstr ”JoeJ” netlogon.log >c:\output.txt

Категории