B
Blueshift
Current configuration:
Windows 7/10 terminals using a software that connects to Server 2012 Hyper-V Machine SQL Server for database.
Software is giving error for users at (seemingly) random. Looks like this happens for a few users at a time in small bursts, which resolve themselves minutes later and they can then connect normally.
Source: C:\MacolaESCode\9.7.600\e4slayer.dll\edb.cpp (line 3953)
Cannot connect with 'DRIVER={SQL Server};Server=*redacted*;Database=*redacted*;TRUSTED_CONNECTION=YES'.
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
SQL State: 28000
DB error: 18452
EDL error: An error has occurred in the execution of the ODBC function 'SQLDriverConnect'.
Checking Security log on the server is showing multiple Audit Failures (Event 4625) for these users.
General info on the error:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: *redacted*
Account Domain: *redacted*
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000005E
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: *computer name*
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Details on the error:
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4625
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2019-07-09T14:55:17.093640400Z
EventRecordID 9850913
Correlation
- Execution
[ ProcessID] 600
[ ThreadID] 616
Channel Security
Computer *computer*.*domain*.com
Security
- EventData
SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-0-0
TargetUserName *username*
TargetDomainName *domain*
Status 0xc000005e
FailureReason %%2304
SubStatus 0x0
LogonType 3
LogonProcessName NtLmSsp
AuthenticationPackageName NTLM
WorkstationName *computer name*
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x0
ProcessName -
IpAddress -
IpPort -
Continue reading...
Windows 7/10 terminals using a software that connects to Server 2012 Hyper-V Machine SQL Server for database.
Software is giving error for users at (seemingly) random. Looks like this happens for a few users at a time in small bursts, which resolve themselves minutes later and they can then connect normally.
Source: C:\MacolaESCode\9.7.600\e4slayer.dll\edb.cpp (line 3953)
Cannot connect with 'DRIVER={SQL Server};Server=*redacted*;Database=*redacted*;TRUSTED_CONNECTION=YES'.
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
SQL State: 28000
DB error: 18452
EDL error: An error has occurred in the execution of the ODBC function 'SQLDriverConnect'.
Checking Security log on the server is showing multiple Audit Failures (Event 4625) for these users.
General info on the error:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: *redacted*
Account Domain: *redacted*
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000005E
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: *computer name*
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Details on the error:
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4625
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2019-07-09T14:55:17.093640400Z
EventRecordID 9850913
Correlation
- Execution
[ ProcessID] 600
[ ThreadID] 616
Channel Security
Computer *computer*.*domain*.com
Security
- EventData
SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-0-0
TargetUserName *username*
TargetDomainName *domain*
Status 0xc000005e
FailureReason %%2304
SubStatus 0x0
LogonType 3
LogonProcessName NtLmSsp
AuthenticationPackageName NTLM
WorkstationName *computer name*
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x0
ProcessName -
IpAddress -
IpPort -
Continue reading...