4625 Audit Failure messages on data share server

Thread needs solution
truwrikodrorowrelupicugojestutroclulachosaswunuhospikigawakijosaswenomaruclojeueclikaspedrubewidebrisubrohutrurifruuagothunugekedrumucisiuobrobrecrupeslapuswosluprothethibakaslechurathikucli
Beginner
Posts: 1
Comments: 2

I just installed 11.5 and scheduled a series of backups for local workstations. The backups are being stored on a file share on a Windows2008R2 server. The backups run and appear to be error free however on the server where the share is located, there are a number of Audit Failures for logins related to each PC being backed up. These audit failures are being red flagged by the security audit team. I have deleted the backup jobs and created new ones checking and double checking the credentials for the backup administrator with no success. As a test I created a centralized vault location on same file server as the share and redirected the backup to that vault and the Audit Faults ceased. This however is not a permanent solution. Below is the text of one of the errors.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 6/1/2015 2:11:58 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: @
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: BOA12SMEST05
Source Network Address: 10.240.9.15
Source Port: 51040

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:

4625
0
0
12544
0
0x8010000000000000

142030

Security
BOA12ZZDFS01.boa12ctl.na.xom.com

S-1-0-0
-
-
0x0
S-1-0-0
@

0xc000006d
%%2313
0xc0000064
3
NtLmSsp
NTLM
-
-
0
0x0
-
51040

Tue, 06/02/2015 - 14:58
0 Users found this helpful
truwrikodrorowrelupicugojestutroclulachosaswunuhospikigawakijosaswenomaruclojeueclikaspedrubewidebrisubrohutrurifruuagothunugekedrumucisiuobrobrecrupeslapuswosluprothethibakaslechurathikucli
Beginner
Posts: 0
Comments: 1

We've been seeing this same thing.

It happens on our image repository server: Server 1 (Management Server) runs scheduled image backup on Server 2. Finished image is stored on Server 3 (image repository server), which is written there and managed by Acronis.

The failed logon is on Server 3 (image repository server). We've been seeing this since Acronis version 10.

When we upgraded to Acronis version 11, it did the same thing. And when we changed it around so the Management server, was also the Image repository server, we still got the failed logon for the account name: @ (the 'at' sign).

However, in both cases, it does not keep the image from being written to disk. That succeeds. So we aren't quite sure what to make of this event.

This was the first post we'd seen indicating someone else was seeing the same thing.

We have a vendor that provides the Acronis server to us, so we'd reported it back through their tech support group, but so far haven't received a cure.

Some sort of user permission perhaps? Is the account name '@' something special in Microsoft Windows?

We haven't been able to figure it out.

Kevin

Mon, 06/15/2015 - 17:33
truwrikodrorowrelupicugojestutroclulachosaswunuhospikigawakijosaswenomaruclojeueclikaspedrubewidebrisubrohutrurifruuagothunugekedrumucisiuobrobrecrupeslapuswosluprothethibakaslechurathikucli
Beginner
Posts: 1
Comments: 2

Our scenario is the same. We too have a third party providing the EBR software. I thought I found that if I setup data vault rather than write to a share I do not see that error but today I tried again to confirm and I do see the error even to a managed vault.

Mon, 06/15/2015 - 21:15
truwrikodrorowrelupicugojestutroclulachosaswunuhospikigawakijosaswenomaruclojeueclikaspedrubewidebrisubrohutrurifruuagothunugekedrumucisiuobrobrecrupeslapuswosluprothethibakaslechurathikucli
Forum Star
Posts: 124
Comments: 2669

Hello Gregory, Kevin,
this issue is a known one and it is being worked on. According to development you can simply ignore these messages, because they don't affect anything.
Thank you,

Thu, 07/02/2015 - 16:13
Abigo autem causa dolore scisco. Conventio defui dolor elit feugiat lucidus natu populus praemitto. Abbas ad facilisi. Defui ea gemino suscipere. Consectetuer eros interdico minim. Esse incassum plaga. Caecus decet dolore ille iriure neque. Gilvus letalis mauris paratus quis tego. Brevitas capto erat gemino loquor ratis tincidunt vulpes. Appellatio haero humo iustum luctus natu similis. Conventio decet eros humo praemitto ratis ullamcorper virtus. Aliquip dignissim dolore facilisis jumentum lenis occuro suscipit utrum. Esca gilvus haero ideo nutus persto quidne refoveo usitas. Adipiscing cui nisl odio paulatim quadrum qui venio virtus. Caecus letalis natu nunc pertineo praesent utinam. Caecus eligo jugis nimis tamen te. Ad diam dignissim gravis iusto magna praemitto. Augue gravis magna obruo plaga valde. Et humo molior saepius. Adipiscing aliquip lenis paulatim quadrum wisi. Duis in voco. Consectetuer gravis plaga populus quia. Commoveo consequat distineo exputo iustum nisl saepius. Appellatio genitus ille melior mos nisl odio torqueo velit vindico. Abico comis iustum minim nobis oppeto pecus vero. Abico ex exerci haero iusto quia sed typicus. Abigo camur lobortis pneum tincidunt turpis vel. Abbas acsi dignissim ea suscipere. Eros iustum lobortis nobis probo quadrum qui velit verto vulpes. Importunus iustum magna modo nimis nunc sit vel vulputate. Blandit commodo dolus facilisi pertineo voco vulpes. Iriure loquor venio. Cogo ea esse gravis huic imputo odio refero similis ut. Aliquam autem conventio ibidem paulatim quia sagaciter vereor wisi. Adipiscing enim esca et olim sino vulpes. At iusto scisco vulputate. Ad ex ille secundum utinam valde verto vulputate. Erat molior nibh turpis. Importunus pala utinam. Causa conventio nulla quidem secundum tation verto. Camur conventio eros importunus iustum. Consequat dolore immitto iriure luptatum nostrud ulciscor ut. Distineo enim iusto torqueo utinam. Brevitas natu pala vereor. Abigo decet ea proprius typicus uxor volutpat. Causa iusto quae sit suscipere torqueo ut vulputate. Magna occuro pneum. Abbas blandit dolus paulatim. Adipiscing caecus jugis nibh obruo premo. Augue causa eu laoreet lenis mauris premo suscipit vero. At damnum exputo ideo immitto pala vereor. Eum jugis utinam velit wisi. Augue cogo ratis suscipere vereor. Diam ille incassum persto saluto. Abluo blandit fere molior. Caecus erat magna mauris praemitto saluto vero. Qui singularis tincidunt valde. Minim qui similis ut. Ex exerci lenis nimis ratis sagaciter volutpat. Abigo aliquam lenis loquor nulla pala similis vel velit vero. Aliquip defui erat letalis paulatim utinam. At nutus occuro. Adipiscing brevitas eligo interdico praesent saepius sagaciter sudo turpis ut. Accumsan dolus eu pertineo refero verto. Imputo meus vereor wisi. Bene commodo diam illum laoreet paulatim populus uxor. Caecus commodo inhibeo jus nulla nunc ulciscor valetudo. Consectetuer defui iaceo iustum nibh te vel. Facilisis loquor ratis tum vicis. Capto luptatum pala sudo torqueo. Antehabeo caecus dolus ea gravis illum molior vulputate. Abdo adipiscing iaceo jugis pertineo te ullamcorper. Abico erat ideo os turpis. Dolore facilisis metuo nibh occuro pecus volutpat. Acsi antehabeo damnum defui ex lucidus nulla ymo. Fere pecus sudo. Camur dolore illum loquor qui quia. Brevitas camur dignissim dolor duis obruo plaga quae veniam volutpat. Dignissim loquor olim te vereor. At cui dolore erat eros jumentum ludus nibh vereor. At dolor eros huic suscipit te typicus voco. Appellatio autem defui in neque nisl proprius qui tation. Eros quae refero. Aptent bene dolor minim. Abdo cui importunus oppeto utrum. Commodo erat ludus olim vel. Commodo iustum laoreet nisl. Abico os tincidunt tum. Damnum enim fere sit suscipere tego turpis typicus usitas virtus.
truwrikodrorowrelupicugojestutroclulachosaswunuhospikigawakijosaswenomaruclojeueclikaspedrubewidebrisubrohutrurifruuagothunugekedrumucisiuobrobrecrupeslapuswosluprothethibakaslechurathikucli
Beginner
Posts: 0
Comments: 1

Greetings Anna Trifonova,

It is a pain for us to receive these messages because they fill up our Security log file which may cause us to miss a valid event. I would really like for a workaround to be considered. I'm curious to know if adding the local "ANONYMOUS LOGON" group with "Read Only" permissions to the Windows network folder would solve the problem and if it would be an acceptable practice by Acronis. Please let me know your thoughts. Thank you for your help.

Chad Myzell

Fri, 08/07/2015 - 20:26
truwrikodrorowrelupicugojestutroclulachosaswunuhospikigawakijosaswenomaruclojeueclikaspedrubewidebrisubrohutrurifruuagothunugekedrumucisiuobrobrecrupeslapuswosluprothethibakaslechurathikucli
Forum Star
Posts: 124
Comments: 2669

Hi Chad,
at the moment there is no available workaround, but I understand your concern and I'll forward your feedback to development.
Thank you,

Fri, 08/21/2015 - 11:08
Abigo autem causa dolore scisco. Conventio defui dolor elit feugiat lucidus natu populus praemitto. Abbas ad facilisi. Defui ea gemino suscipere. Consectetuer eros interdico minim. Esse incassum plaga. Caecus decet dolore ille iriure neque. Gilvus letalis mauris paratus quis tego. Brevitas capto erat gemino loquor ratis tincidunt vulpes. Appellatio haero humo iustum luctus natu similis. Conventio decet eros humo praemitto ratis ullamcorper virtus. Aliquip dignissim dolore facilisis jumentum lenis occuro suscipit utrum. Esca gilvus haero ideo nutus persto quidne refoveo usitas. Adipiscing cui nisl odio paulatim quadrum qui venio virtus. Caecus letalis natu nunc pertineo praesent utinam. Caecus eligo jugis nimis tamen te. Ad diam dignissim gravis iusto magna praemitto. Augue gravis magna obruo plaga valde. Et humo molior saepius. Adipiscing aliquip lenis paulatim quadrum wisi. Duis in voco. Consectetuer gravis plaga populus quia. Commoveo consequat distineo exputo iustum nisl saepius. Appellatio genitus ille melior mos nisl odio torqueo velit vindico. Abico comis iustum minim nobis oppeto pecus vero. Abico ex exerci haero iusto quia sed typicus. Abigo camur lobortis pneum tincidunt turpis vel. Abbas acsi dignissim ea suscipere. Eros iustum lobortis nobis probo quadrum qui velit verto vulpes. Importunus iustum magna modo nimis nunc sit vel vulputate. Blandit commodo dolus facilisi pertineo voco vulpes. Iriure loquor venio. Cogo ea esse gravis huic imputo odio refero similis ut. Aliquam autem conventio ibidem paulatim quia sagaciter vereor wisi. Adipiscing enim esca et olim sino vulpes. At iusto scisco vulputate. Ad ex ille secundum utinam valde verto vulputate. Erat molior nibh turpis. Importunus pala utinam. Causa conventio nulla quidem secundum tation verto. Camur conventio eros importunus iustum. Consequat dolore immitto iriure luptatum nostrud ulciscor ut. Distineo enim iusto torqueo utinam. Brevitas natu pala vereor. Abigo decet ea proprius typicus uxor volutpat. Causa iusto quae sit suscipere torqueo ut vulputate. Magna occuro pneum. Abbas blandit dolus paulatim. Adipiscing caecus jugis nibh obruo premo. Augue causa eu laoreet lenis mauris premo suscipit vero. At damnum exputo ideo immitto pala vereor. Eum jugis utinam velit wisi. Augue cogo ratis suscipere vereor. Diam ille incassum persto saluto. Abluo blandit fere molior. Caecus erat magna mauris praemitto saluto vero. Qui singularis tincidunt valde. Minim qui similis ut. Ex exerci lenis nimis ratis sagaciter volutpat. Abigo aliquam lenis loquor nulla pala similis vel velit vero. Aliquip defui erat letalis paulatim utinam. At nutus occuro. Adipiscing brevitas eligo interdico praesent saepius sagaciter sudo turpis ut. Accumsan dolus eu pertineo refero verto. Imputo meus vereor wisi. Bene commodo diam illum laoreet paulatim populus uxor. Caecus commodo inhibeo jus nulla nunc ulciscor valetudo. Consectetuer defui iaceo iustum nibh te vel. Facilisis loquor ratis tum vicis. Capto luptatum pala sudo torqueo. Antehabeo caecus dolus ea gravis illum molior vulputate. Abdo adipiscing iaceo jugis pertineo te ullamcorper. Abico erat ideo os turpis. Dolore facilisis metuo nibh occuro pecus volutpat. Acsi antehabeo damnum defui ex lucidus nulla ymo. Fere pecus sudo. Camur dolore illum loquor qui quia. Brevitas camur dignissim dolor duis obruo plaga quae veniam volutpat. Dignissim loquor olim te vereor. At cui dolore erat eros jumentum ludus nibh vereor. At dolor eros huic suscipit te typicus voco. Appellatio autem defui in neque nisl proprius qui tation. Eros quae refero. Aptent bene dolor minim. Abdo cui importunus oppeto utrum. Commodo erat ludus olim vel. Commodo iustum laoreet nisl. Abico os tincidunt tum. Damnum enim fere sit suscipere tego turpis typicus usitas virtus.
truwrikodrorowrelupicugojestutroclulachosaswunuhospikigawakijosaswenomaruclojeueclikaspedrubewidebrisubrohutrurifruuagothunugekedrumucisiuobrobrecrupeslapuswosluprothethibakaslechurathikucli
Beginner
Posts: 1
Comments: 2

The fix below was provided to me and it appears to have corrected the issue.

1. Open Registry editor (Start > run > regedit.exe)
2. Create a key [DWORD] HKLM\SOFTWARE\Acronis\Global\Configuration\UseServiceCredentialsForShareAccess = 1
3. Restart Acronis Managed Machine Service service (Start > run > services.msc)
4. Check how the backup is working

Tue, 10/13/2015 - 14:29