What exactly is the "Logon GUID"?

[Spin]

Gurus,

In the event log detail below, what exactly is the "Logon GUID" referring
to? The transaction below represents a user named "TestUser" who accessed a
network share on "SQLServer", from a machine who's IP address was
192.168.1.24.

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 8/26/2008
Time: 2:06:10 PM
User: DOMAIN\TestUser
Computer: SQLServer
Description:
Successful Network Logon:
User Name: TestUser
Domain: DOMAIN
Logon ID: (0x0,0x55025)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {34942986-0087-5999-249a-e218464f6320}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.24
Source Port: 0

--
Spin

 

[Spin]

And why would the "Workstation Name" be blank? Doesn't Windows know what
workstation a user is coming from "over the network"? Granted, if this were
an IIS server I would understand, but this was a case of a domain user
hitting the system's network share from a domain computer, same subnet.

 

[ChrisCJ21]

Was the access over the network from a Windows 2000 machine? I may be wrong
but I seem to remember that entries over the wire from 2K boxes have issues
with populating 'Hostname' field.

"Ken" wrote:

> GUID (Global Unique Identified). This is the users SID from the SAM
> database. In this case since it can enumerate the GUID to a user name I
> would have to guess the event in question is from a device that is not a
> domain member or does not allow for unauthenticated access to the SAM. Is
> it possible this machine is not a domain member of the same domain as the
> SQL server?
>
>
> "Spin" <Spin@invalid.com> wrote in message
> news:6hj07gFlvdg3U1@mid.individual.net...
> > Gurus,
> >
> > In the event log detail below, what exactly is the "Logon GUID" referring
> > to? The transaction below represents a user named "TestUser" who accessed
> > a network share on "SQLServer", from a machine who's IP address was
> > 192.168.1.24.
> >
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 540
> > Date: 8/26/2008
> > Time: 2:06:10 PM
> > User: DOMAIN\TestUser
> > Computer: SQLServer
> > Description:
> > Successful Network Logon:
> > User Name: TestUser
> > Domain: DOMAIN
> > Logon ID: (0x0,0x55025)
> > Logon Type: 3
> > Logon Process: Kerberos
> > Authentication Package: Kerberos
> > Workstation Name:
> > Logon GUID: {34942986-0087-5999-249a-e218464f6320}
> > Caller User Name: -
> > Caller Domain: -
> > Caller Logon ID: -
> > Caller Process ID: -
> > Transited Services: -
> > Source Network Address: 192.168.1.24
> > Source Port: 0
> >
> > --
> > Spin
> >
>

 

[Spin]

No, it was from XP.

 

[Spin]

Still trying to understand what object the Logon GUID was referrign to in my
original post.

 

[wjr]

Spin wrote:
> Gurus,
>
> In the event log detail below, what exactly is the "Logon GUID" referring
> to? The transaction below represents a user named "TestUser" who accessed a
> network share on "SQLServer", from a machine who's IP address was
> 192.168.1.24.
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 540
> Date: 8/26/2008
> Time: 2:06:10 PM
> User: DOMAIN\TestUser
> Computer: SQLServer
> Description:
> Successful Network Logon:
> User Name: TestUser
> Domain: DOMAIN
> Logon ID: (0x0,0x55025)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name:
> Logon GUID: {34942986-0087-5999-249a-e218464f6320}
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 192.168.1.24
> Source Port: 0
Hope this helps.

http://www.microsoft.com/technet/pr...rv/reskit/distrib/dsce_ctl_yicc.mspx?mfr=true

 

[Joseph T Corey]

Actually, that's not the same GUID Spin is talking about.

This Logon GUID is unique to the Kerberos ticket used for authentication.
You would use this to correlate a logon event with security logs on a DC and
the security logs on the machine being accessed. I'm not sure how that GUID
is generated or how NTLM authentications are handled. Hope that little bit
of info helps!

--
Joseph T. Corey MCSE, MCITP-EA
Windows Systems Administrator

"wjr" <virtual2@gomonarch.com> wrote in message
news:48B5D92C.10100@gomonarch.com...
>
>
> Spin wrote:
>> Gurus,
>>
>> In the event log detail below, what exactly is the "Logon GUID" referring
>> to? The transaction below represents a user named "TestUser" who
>> accessed a network share on "SQLServer", from a machine who's IP address
>> was 192.168.1.24.
>>
>> Event Type: Success Audit
>> Event Source: Security
>> Event Category: Logon/Logoff
>> Event ID: 540
>> Date: 8/26/2008
>> Time: 2:06:10 PM
>> User: DOMAIN\TestUser
>> Computer: SQLServer
>> Description:
>> Successful Network Logon:
>> User Name: TestUser
>> Domain: DOMAIN
>> Logon ID: (0x0,0x55025)
>> Logon Type: 3
>> Logon Process: Kerberos
>> Authentication Package: Kerberos
>> Workstation Name:
>> Logon GUID: {34942986-0087-5999-249a-e218464f6320}
>> Caller User Name: -
>> Caller Domain: -
>> Caller Logon ID: -
>> Caller Process ID: -
>> Transited Services: -
>> Source Network Address: 192.168.1.24
>> Source Port: 0
> Hope this helps.
>
> http://www.microsoft.com/technet/pr...rv/reskit/distrib/dsce_ctl_yicc.mspx?mfr=true
>