Troubleshooting Kerberos NULL SID Audit Failures (Event ID 4625) in Windows Server Essentials Environments


6 views

When investigating these repeated 4625 events, we're seeing a specific pattern:

Failure Information:
    Status:         0xc000006d
    Sub Status:     0xc0000064
Authentication Package: Kerberos
Caller Process: lsass.exe

The Windows Server Essentials Management Service (WseMgmtSvc) appears to be the root cause. This service periodically checks system health through scheduled tasks, and its authentication attempts generate these events when:

  • Using SYSTEM account credentials
  • Attempting network logons (Type 3)
  • Querying non-existent accounts

The authentication flow follows this sequence:

1. Scheduled task triggers WseMgmtSvc
2. Service attempts Kerberos authentication
3. LSASS processes the request
4. Fails with STATUS_NO_SUCH_USER (0xC0000064)
5. Event 4625 logged

To confirm the source, use this PowerShell snippet to monitor process creation:

# Capture process creation events matching the schedule
Get-WinEvent -FilterHashtable @{
    LogName = 'Microsoft-Windows-Sysmon/Operational'
    ID = 1
    StartTime = (Get-Date).AddMinutes(-5)
} | Where-Object {
    $_.Message -match 'WseMgmtSvc'
} | Select-Object TimeCreated, Message

Option 1: Service Modification
Create a service wrapper to suppress unnecessary auth attempts:

sc.exe config WseMgmtSvc start= delayed-auto
Set-Service -Name WseMgmtSvc -StartupType AutomaticDelayedStart

Option 2: Scheduled Task Adjustment
Modify the alert evaluation task to reduce frequency:

schtasks /change /tn "\Microsoft\Windows\Windows Server Essentials\Alert Evaluations" /ri 1440

Option 3: Registry Filtering
Add exclusions for known false positives:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" 
    -Name "SuppressNullSidFailures" -Value 1 -PropertyType DWORD

For environments where the service cannot be modified, implement this SIEM filter to exclude noise:

# Splunk query example
index=wineventlog EventCode=4625 
| search NOT (ProcessName="lsass.exe" AND Sub_Status="0xC0000064" AND Logon_Type="3") 
| stats count by src_host

For larger deployments using Essentials in branch offices:

  • Deploy centralized event log filtering
  • Implement Kerberos armoring (FAST)
  • Configure DC-specific audit policies

When your domain controllers start logging thousands of Event ID 4625 entries with NULL SID and Logon Type 3, it's time for some serious debugging. Here's what we discovered during a real-world investigation:

// Typical Event 4625 pattern we observed
{
    "EventID": 4625,
    "LogonType": 3,
    "SecurityID": "NULL SID",
    "SubStatus": "0xC0000064",
    "Process": "lsass.exe",
    "AuthenticationPackage": "Kerberos"
}

The failed authentication attempts exhibited these technical fingerprints:

  • Originating from the DC itself (WorkstationName = DC hostname)
  • Using Kerberos via Schannel (not NTLM)
  • 30-60 minute intervals during off-hours
  • Spikes during morning logon periods

We used ProcMon to trace the authentication attempts:

# Sample PowerShell to filter security events
Get-WinEvent -LogName Security | 
Where-Object {$_.Id -eq 4625 -and 
              $_.Properties[5].Value -eq "NULL SID"} |
Select-Object TimeCreated,Message

The smoking gun was the WseMgmtSvc service. Here's how to test this hypothesis:

# Disable the management service for testing
Stop-Service WseMgmtSvc -Force
Set-Service WseMgmtSvc -StartupType Disabled

# Monitor impact on event logging
while($true) {
    $count = (Get-WinEvent -FilterHashtable @{
        LogName='Security'
        ID=4625
        StartTime=(Get-Date).AddMinutes(-5)
    } | Measure-Object).Count
    
    Write-Host "$(Get-Date) - $count failed logons in last 5 minutes"
    Start-Sleep -Seconds 60
}

The root cause was an Essentials health monitoring task:

# View the offending scheduled task
Get-ScheduledTask -TaskName "Alert Evaluations" -TaskPath "\Microsoft\Windows\Windows Server Essentials\" |
Select-Object *

# Sample output:
# Author: Microsoft Corporation
# Description: This task periodically evaluates the health of the computer
# Triggers: At 08:54 on 28/10/2014 - After triggered, repeat every 30 minutes
# Actions: Start a program: C:\Windows\System32\Essentials

For environments where you can't disable Essentials completely:

# Option 1: Modify the task trigger (requires Essentials 2012 R2 UR4 or later)
$task = Get-ScheduledTask -TaskName "Alert Evaluations"
$task.Triggers[0].Repetition.Interval = "PT1H"  # Change from 30 to 60 minutes
$task | Set-ScheduledTask

# Option 2: Create custom event log filter to suppress noise
wevtutil qe Security /q:"*[System[(EventID=4625)]]" /rd:true /f:text /c:1

When dealing with authentication storms:

  1. Always check scheduled tasks and background services first
  2. Monitor process trees during authentication attempts
  3. Compare event patterns before/after configuration changes
  4. Remember that "SYSTEM" account actions often indicate automated processes