Hyper-v issue Event ID4625. Hype-v Cluster

Aleksei

2/17/23, 11:46 AM

I have an issue with event id 4625. Hope you can help me to fix it. I have a Hyper V Cluster whit 6 hosts(2016). On several of my hosts every day I am found alert "Security-Event ID: 4625". Sometimes the "Source Network Address:" is one of my nodes, and sometimes null.

Example:

Problem started at 19:30:14 on 2021.10.16
Problem name: Event ID4625 alert - Logon Failure
Severity: High
Operational data: An account failed to log on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name:
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0x80090308
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: X.X.X.X (IP address one off nodes from the cluster)
Source Port: 54096
Detailed Authentication Information:
Logon Process:
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

BR Aleksei

0 + 0

windows

cluster

hyper-v

microsoft

Score:0

Server

Greg Askew

2/17/23, 11:53 AM

A null SID may occur when the username specified in a logon attempt does not correspond to a valid account.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

0 + 0

Aleksei

2/17/23, 12:19 PM

Greg, thank you for your answer. But, I don't understand what is the reason that NODE003 trying to login to NODE002.

Greg Askew

2/17/23, 1:12 PM

The source was a process or application on that other node. You would need to review the data on that node to determine which process.

djdomi

2/17/23, 5:57 PM

i would suggest my powershell script https://github.com/djdomi/Windows-Dos-Batch-Powershell/blob/master/log_security_failed_logon.ps1 if you want a mail about this

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Hyper-v issue Event ID4625. Hype-v Cluster

TH: Hyper-v ออกเหตุการณ์ ID4625 คลัสเตอร์ Hype-v

RO: Problemă Hyper-v Event ID4625. Cluster Hype-v

RU: Проблема с Hyper-v, событие ID4625. Кластер Hype-v

VI: Sự cố Hyper-v Sự kiện ID4625. Cụm cường điệu-v

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.