OraFAQ Forum: Windows » A large number of event_id 4625: An account failed to log on

Home » Infrastructure » Windows » A large number of event_id 4625: An account failed to log on (Oracle 12.2.0, Windows Server 2016)

Show: Today's Messages :: Polls :: Message Navigator
E-mail to friend

A large number of event_id 4625: An account failed to log on [message #680409]

Wed, 13 May 2020 11:05

gepy
Messages: 5
Registered: May 2020

Junior Member

Hello,
Actually we have this problem :
During standard oracle db installation a local user (eg ORAuser) is always created on the db server, which is a member of local groups such as: ORA_ASMDBA; ORA_INSTALL; ORA_OraDB12Home1_DBA. It is not a member of any other local groups such as Users, Power Users, or Administrators.
In EventLog on domain controllers in particular and some other db servers, I have been recording invalid logon attempts (Event_ID: 4625, reason for rejection: non-existent user) of this ORAuser for a long time. There are hundreds to thousands of (rejected) login attempts per day. If we shuts down the Oracle db to perform offline backups, these events do not occur.
Why is the local ORAuser trying to log on to other domain servers? Our DB Admin doesn't know the answer to that, but everything works for him, including applications, he has no bugs in his logs, so he doesn't care. He checked Rman, scripts for backup, scheduled tasks, etc., but he found nothing Sad

Any idea?
Thank you very much!

Report message to a moderator

Re: A large number of event_id 4625: An account failed to log on [message #680410 is a reply to message #680409]

Wed, 13 May 2020 11:25

Michel Cadot
Messages: 68756
Registered: March 2007
Location: Saint-Maur, France, https...

Senior Member
Account Moderator

I don't know the answer but:

1) if your user has really no privilege to access the network (is in no group with this access) then it could not reach the domain controller

2) you can block, on db server, this user or any Oracle program to access the network using a local policy.

Which port does this access come on?
Can you post the details of one of such event.

Report message to a moderator

Re: A large number of event_id 4625: An account failed to log on [message #680411 is a reply to message #680410]

Wed, 13 May 2020 12:46

gepy
Messages: 5
Registered: May 2020

Junior Member

ad 2) Good idea to use local policy! But I'm very curious what causes it Smile

This Event_id 4625 is from Domain Controller (DC):
message
An account failed to log on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Oraclevhd
Account Domain: VHD-DB

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: VHD-DB
Source Network Address: 2a0b:bac0:8080:25::1:32
Source Port: 64354

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Report message to a moderator

Re: A large number of event_id 4625: An account failed to log on [message #680413 is a reply to message #680411]

Wed, 13 May 2020 13:18

Michel Cadot
Messages: 68756
Registered: March 2007
Location: Saint-Maur, France, https...

Senior Member
Account Moderator

Logon type 3 happens (not only but maybe an idea) when an access is made to a shared folder, have you any on the domain controller?

Report message to a moderator

Re: A large number of event_id 4625: An account failed to log on [message #680419 is a reply to message #680413]

Wed, 13 May 2020 13:57

gepy
Messages: 5
Registered: May 2020

Junior Member

Yes, on DC's there are shared folders ... for example SYSVOL and other.

Report message to a moderator

Re: A large number of event_id 4625: An account failed to log on [message #680423 is a reply to message #680419]

Wed, 13 May 2020 14:17

Michel Cadot
Messages: 68756
Registered: March 2007
Location: Saint-Maur, France, https...

Senior Member
Account Moderator

So maybe this user has to access these folders. A log file (Windows or Oracle)? A shared DLL?...

Report message to a moderator

Re: A large number of event_id 4625: An account failed to log on [message #680427 is a reply to message #680423]

Wed, 13 May 2020 15:00

gepy
Messages: 5
Registered: May 2020

Junior Member

Sorry I do not understand... Why local user VHD-DB\Oraclevhd needs access to shared folders of DCs servers?
These access attempts are denied and the application on the VHD-DB server works well. Even without access to network shared folders.
If oracle db needs user account with network access, so the oracle installation process can make domain user account, right?

I really appreciate your effort and hopefully we will crack it Smile

Report message to a moderator

Re: A large number of event_id 4625: An account failed to log on [message #680430 is a reply to message #680427]

Thu, 14 May 2020 00:32

Michel Cadot
Messages: 68756
Registered: March 2007
Location: Saint-Maur, France, https...

Senior Member
Account Moderator

Quote:

Why local user VHD-DB\Oraclevhd needs access to shared folders of DCs servers?

I don't know.
An idea: an enterprise policy requires to log on DC some actions like logon/logoff, start/stop service, high privileged actions...

Quote:

If oracle db needs user account with network access

Oracle db does not need any network access; you may grant it access to the network, for instance for automatic patch, db links or other application needs.

It would be useful to know which program want to access the DC. I can't help you on this, you may post this question on a Windows admin forum: "how to know which program connects or tries to connect a Windows server"; maybe some trace can be activated but this is far above my Windows skills.

Report message to a moderator

Re: A large number of event_id 4625: An account failed to log on [message #680436 is a reply to message #680430]

Thu, 14 May 2020 03:12

gepy
Messages: 5
Registered: May 2020

Junior Member

One more question: I'll try it from the other side ....
On VHD-DB server are running two services under local VHD-DB\Oraclevhd user :
- OracleOraDB12Home1TNSListener (tnslsnr.exe)
- OracleService (oracle.exe)
What if I change VHD-DB\Oraclevhd user with (e.g.) build-in account NT AUTHORITY\LOCAL SERVICE ?
What is the recommendation for starting oracle services?

Report message to a moderator

Re: A large number of event_id 4625: An account failed to log on [message #680440 is a reply to message #680436]

Thu, 14 May 2020 04:06

Michel Cadot
Messages: 68756
Registered: March 2007
Location: Saint-Maur, France, https...

Senior Member
Account Moderator

Oracle services must have read/write access to Oracle installation directory, database files directories (for the instance service)...

Here the documentation for Windows and your version: Platform Guide for Microsoft Windows
This chapter will help you: About Windows Services for Oracle Database

Quote:

Depending on the type of database installation and user account used as the Oracle Home User, Windows services run under low-privileged, non-administrative accounts such as a LocalService, or an authenticated Windows User Account, or as a high-privileged Local System Account (LSA) in Oracle home.

So I think the answer to your question is you can change it.

Note: Up to Windows XP and Oracle 11gR2 I used LOCAL SERVICE, now I use the installation local user account (which is the recommended option during installation).

Report message to a moderator

Previous Topic:	ORA-06502: PL/SQL: numeric or value error: character string buffer too small
Next Topic:	Installation gets to a certain point and then just goes backwards

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Thu Apr 17 06:22:46 CDT 2025