Successful Windows discovery results in events for failed login attempts made to target machine as the local MID server service user
Successful Windows discovery results in 100s of events for failed login attempts made to target machine as the local MID server service user. Other descriptions for this issue:
- Windows security event ID 4625 is logged
- Exceedingly High failures with Midserver Service Account
- Windows logon failure
- Windows audit failure
Steps to Reproduce
- On the Windows machine which will host your MID server, create a test user which does not have any privileges beyond the local machine.
- Install a MID server on this machine and set the user from Step 1 to the be the user the MID service runs under.
- Start up and validate MID.
- On the Instance, create valid Windows Credentials for the discovery of other windows servers/computers.
- De-activate the Discovery Credentials entries with name "MID Server Service User."
- Run a quick discovery of another windows server using your credentials from Step 4. Note time of discovery start.
- On the target machine, in the Event Viewer -> Windows Logs -> Security logs (this structure is on a Windows 8 box and might be different for later versions), look for activity around the time of discovery.
- There should be several hundred Logon "Task Category" events with the "Keywords" of "Audit Failure".
- Upon inspection, all of these events should be referencing the user created in Step 1.
Note: without a valid Discovery Credential available for use, these errors will not be apparent as Discovery will fail prior to then.
This behavior matches following Microsoft article:
Failed logon event generated when running remote WMI command
From the above:
- The pass-through authentication is always attempted first, even if specific credentials are specified in the tool being used.
- You can safely ignore the error message.
As a workaround, if possible, set the MID server service account to a user which has rights on the target machines. Otherwise, from the Microsoft article, these events can safely be ignored.
Related Problem: PRB1497216