ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Multiple Login fail events occur on the Control Compliance Suite Manager Server with Audit Failure Event ID 4625

book

Article ID: 172475

calendar_today

Updated On:

Products

Control Compliance Suite Windows

Issue/Introduction

Multiple Login fail events occur on the Control Compliance Suite (CCS) Manager Server with Audit Failure Event ID 4625

The following error is noted in the Windows Event Viewer on the CCS Manager Machine-
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:     
Description:An account failed to log on.

Subject:
Security ID:  SYSTEM
Account Name: 
Account Domain: 
Logon ID: 

Logon Type:   2

Account For Which Logon Failed:
Security ID:  NULL SID
Account Name: 
Account Domain: 

Failure Information:
Failure Reason:  An Error occurred during Logon.
Status:   0xC0000413
Sub Status:  0x0

Process Information:
Caller Process ID: 0x260c
Caller Process Name: :\CCS Manager\DPS\Blade.WorkerProcess.x64.exe

Cause

The CCS Application Server Certificate subject does not match with the name of the object (CCS AppServer Service user account) that is present in the Active Directory (AD)

Environment

Windows

Resolution

The Audit Failure Event (Event ID 4625) issue can be resolved by mapping the certificates to the CCS App server User ID in AD.
Map certificates to CCS Service account in AD for CCS App Server and CCS Manager for component communication without Audit Failures.
Use the following steps to export CCS certificates for CCS components and map them to Active Directory accounts.

Steps to export the CCS Certificates using MMC snap-in

Perform these steps on CCS App Server and All CCS Managers

  1. From the Start menu on the CCS Application Server, click Run. Type mmc in the text box and click OK. An MMC(Microsoft Management Console) snap-in Console window launches.
  2. Using the File menu, click Add/Remove Snap-in.
  3. Select Certificates in the Snap-in list, click Add.
    • NOTE: When you select Certificates, a dialog box appears asking you whether you would like to manage certificates for My user account, Service account, or Computer account. For this scenario, select Computer account, click Finish, and continue.
  4. When prompted to Select Computer, select Local Computer, and click Finish.
  5. Click OK to close the Add/Remove Snap-in dialog box. The Certificates directory is now added to the MMC console.
  6. Select Certificates (Local Computer) from the Console menu. This will expand the Certificates containers.
  7. Select >Symantec_Components >Certificates container.
  8. On CCS App Server: Right-click certificate "AppServer-%MACHINE_NAME%" and select >All Tasks >Export…
    1. On CCS Manager : Right-click certificate  %MACHINE_NAME% and select >All Tasks >Export…
  9. This will start the Welcome to the Certificate Export Wizard. Click Next.
  10. Select No, do not export the private key. Click Next.
  11. Select DER encoded binary X.509 (.CER). Click Next.
  12. Specify the folder path and name of the file you want to export. Click Next.
  13. Review wizard settings and click Finish.

NOTE: These steps will need to be performed on each server hosting the CCS Manager role.

Please note the certificate in step 8 will be unique for CCS Manager role (i.e. CCSManager-%Machine_Name%). It is helpful to store all exported certificate files (.CER) in a folder accessible to the Domain Controller.

Map (Import) the certificates to CCS Service account in AD

  1. Put all Certificates on shared location or locally on DC
  2. Open Active Directory Users and Computers
  3. Right click CCS AppServer Service user account
  4. Select Name Mappings
  5. Select X.509 tab and Add All the Certificates. Once Done, Click apply ok
  6. Restart CCS APP Server and CCS Manager Services once
  7. Verify the Audit Failure Event (Event ID 4625) has stopped