IIS Server Security - security logon failures?

Author

security logon failures?

2005-03-03, 5:55 pm

Hi all, I have a new web server running 2003. It is a member of a domain but
IIS is configured to use all local accounts including IUSR & Network
Service. I have begun to see a bunch of failure audits in the Security Event
Log:

Logon Failure:

Reason: An error occurred during logon

User Name:

Domain:

Logon Type: 3

Logon Process: Schannel

Authentication Package: Microsoft Unified Security Protocol Provider

Workstation Name: -

Status code: 0xC000006D

Substatus code: 0x80090325

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: -

Source Port: -

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I also see the same logs in my test server also..

What is going on?

Thanks!

WenJun Zhang[msft]

2005-03-04, 2:48 am

Hi,

Looks like there is nothing indicates the logon failure event has
some relationship with IIS. Have you also checked System log(for
events about W3SVC or IISAdmin)? If IIS attempts to logon a built-in
account but failed, it will write the details in System log.

Thanks.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no
rights.

2005-03-04, 5:58 pm

I cannot see anything in the System Event Log pertaining to W3SVC or IIS.
Both the boxes are running Web Edition and the only services running are IIS
related services. It would seem odd to me that I get the same error on 2
boxes on seperate networks. thanks!

Logon Failure:

Reason: An error occurred during logon

User Name:

Domain:

Logon Type: 3

Logon Process: Schannel

Authentication Package: Microsoft Unified Security Protocol Provider

Workstation Name: -

Status code: 0xC000006D

Substatus code: 0x80090325

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: -

Source Port: -

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

""WenJun Zhang[msft]"" <v-wzhang@online.microsoft.com> wrote in message
news:vXtxPWIIFHA.3572@TK2MSFTNGXA02.phx.gbl...
> Hi,
>
> Looks like there is nothing indicates the logon failure event has
> some relationship with IIS. Have you also checked System log(for
> events about W3SVC or IISAdmin)? If IIS attempts to logon a built-in
> account but failed, it will write the details in System log.
>
> Thanks.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

WenJun Zhang[msft]

2005-03-07, 2:53 am

Hi,

The logon failure caused by Schannel may be related to SSL mechanism
running on IIS. Do you have any https sites on these 2 machines?

Thanks.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no
rights.

2005-03-07, 5:52 pm

Yes I do. On my test machine I have 1 SSL site. On my production machine I
have 3 SSL sites. The 1 site common between test & production, has a web
server cert which has been issued from a Server 2003 Stand-Alone CA box. The
other 2 sites on the production box has certs issued from CyberTrust...

thanks!

""WenJun Zhang[msft]"" <v-wzhang@online.microsoft.com> wrote in message
news:kloaNwuIFHA.3968@TK2MSFTNGXA02.phx.gbl...
> Hi,
>
> The logon failure caused by Schannel may be related to SSL mechanism
> running on IIS. Do you have any https sites on these 2 machines?
>
> Thanks.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

WenJun Zhang[msft]

2005-03-08, 7:52 am

I reviewed those simliar cases. The problem appears to be on the
security infrastructure of Windows 2003, means not only IIS using SSL
will meet this problem but other services may hit the same error
too(like using SSL with smtp). The troubleshooting will be
complicated and diffucult to start out from IIS side. If SSL just
works fine on your server, I think you may safely ignore these
events. Otherwise if you do have much concern on it, I suggest you
report it as an incident to our CSS(customer support service) for an
advanced support. Since you are MSDN subscriber, you should have 2
free incident accounts. Also if the issue is finally confirmed as a
undiscovered bug, you don't need to spend the account. The following
is the link to CSS:

http://support.microsoft.com/defaul...US;PHONENUMBERS

Thanks.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no
rights.

Alun Jones [MSFT]

2005-03-08, 5:51 pm

<param@community.nospam> wrote in message
news:%23$$jLTAIFHA.2476@TK2MSFTNGP12.phx.gbl...
> Logon Process: Schannel
>
> Authentication Package: Microsoft Unified Security Protocol Provider
>
> Workstation Name: -
>
> Status code: 0xC000006D
>
> Substatus code: 0x80090325

0xC000006D is "Error - The pipe has been ended".

0x80090325 is "The certificate chain was issued by an authority that is not
trusted."

So, essentially, it looks like someone tried to log on using a client
certificate that doesn't chain up to a root that you trust at your server.
Is it possible that some of your clients are trying to connect from machines
where they may have multiple certificates installed? Maybe they're just
selecting the wrong one. Perhaps they need to give their certificates
better "friendly names" to make them easier to choose between.

I used the "ERRLOOK" tool from Visual Studio to get the error messages (it
didn't find 0xC000006D, so I tried 0x0000006d instead, as the top two bits
indicate severity). There are other ways to find the same information.

Alun.
~~~~
--
Software Design Engineer, Internet Information Server (FTP)
This posting is provided "AS IS" with no warranties, and confers no rights.

2005-03-08, 5:51 pm

Is there anyway to grab the name of the certificate being used? That would
help me isolate which user it is. Would the Website logs show this? The
funny thing is that in my test/dev machine only 2 users have access to it
and both the users have a valid cert that I know for sure. Yet on this box I
get the same error. Isnt that strange?

thanks!

"Alun Jones [MSFT]" <alunj@online.microsoft.com> wrote in message
news:eK7f5AAJFHA.3332@TK2MSFTNGP15.phx.gbl...
> <param@community.nospam> wrote in message
> news:%23$$jLTAIFHA.2476@TK2MSFTNGP12.phx.gbl...
>
>
> 0xC000006D is "Error - The pipe has been ended".
>
> 0x80090325 is "The certificate chain was issued by an authority that is
> not trusted."
>
> So, essentially, it looks like someone tried to log on using a client
> certificate that doesn't chain up to a root that you trust at your server.
> Is it possible that some of your clients are trying to connect from
> machines where they may have multiple certificates installed? Maybe
> they're just selecting the wrong one. Perhaps they need to give their
> certificates better "friendly names" to make them easier to choose
> between.
>
> I used the "ERRLOOK" tool from Visual Studio to get the error messages (it
> didn't find 0xC000006D, so I tried 0x0000006d instead, as the top two bits
> indicate severity). There are other ways to find the same information.
>
> Alun.
> ~~~~
> --
> Software Design Engineer, Internet Information Server (FTP)
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

WenJun Zhang[msft]

2005-03-09, 7:47 am

If your site requires authentication, you can check the username
(cs-username field) in IIS log (in
Windows\System32\LogFile\W3SVC[SiteID]) and compare the fired time
between the request and event in security log. This may help you
identify which user's client cert is causing this issue. Please note
the time in IIS W3C log is in GMT.

Thanks.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no
rights.