Cluster network name impersonation logons type 8SQL Server filestream access from another computer using system accountSQL Server Virtual Network Name Change ErrorMy two-way trust with selective auth seems to behave opposite to a one-way trustExchange Server/CCR/Primary To Secondry Moved Failed“Message queue service not available” in Windows Failover ClusterEvent 4625 Audit Failure NULL SID failed network logonsDetermine what Application or Process is making Authentication requestBrute force attack with no IP to traceCluster Fails when Enabling Storage Spaces Direct Server 2016TONS of 4625 events. Failed login attempts. No IP, no username
Can Dive Down protect a creature against Pacifism?
Has JSON.serialize suppressApexObjectNulls ever worked?
I received a gift from my sister who just got back from
Am I allowed to determine tenets of my contract as a warlock?
Can an escape pod land on Earth from orbit and not be immediately detected?
Dedicated bike GPS computer over smartphone
New Site Design!
Is it possible to have battery technology that can't be duplicated?
The best in flight meal option for those suffering from reflux
Print the phrase "And she said, 'But that's his.'" using only the alphabet
Nth term of Van Eck Sequence
Past vs. present tense when referring to a fictional character
Realistic, logical way for men with medieval-era weaponry to compete with much larger and physically stronger foes
typeid("") != typeid(const char*)
Arrows inside a commutative diagram using tikzcd
I sent an angry e-mail to my interviewers about a conflict at my home institution. Could this affect my application?
What does the "titan" monster tag mean?
What game uses dice with compass point arrows, forbidden signs, explosions, arrows and targeting reticles?
Commencez à vous connecter -- I don't understand the phrasing of this
Is it true that "only photographers care about noise"?
Can a 40amp breaker be used safely and without issue with a 40amp device on 6AWG wire?
Manager wants to hire me; HR does not. How to proceed?
Idiom for 'person who gets violent when drunk"
Can artificial satellite positions affect tides?
Cluster network name impersonation logons type 8
SQL Server filestream access from another computer using system accountSQL Server Virtual Network Name Change ErrorMy two-way trust with selective auth seems to behave opposite to a one-way trustExchange Server/CCR/Primary To Secondry Moved Failed“Message queue service not available” in Windows Failover ClusterEvent 4625 Audit Failure NULL SID failed network logonsDetermine what Application or Process is making Authentication requestBrute force attack with no IP to traceCluster Fails when Enabling Storage Spaces Direct Server 2016TONS of 4625 events. Failed login attempts. No IP, no username
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
The Security team is flagging the following events showing logon type 8 (see Audit logon events), which has a description of "NetworkClearText." Based on what I've dug up so far, this isn't necessarily a problem if the associated network traffic is encrypted with SSL. I might presume that it's also of no (or little) concern if the logon is local and does not go over the wire.
These are occurring on clusters, and all evidence indicates that this is due to a cluster network name coming online, and the local system account is spinning up a session to impersonate the computer account associated with the cluster network name.
So are these going across the wire? Yes, I know I can Wireshark this and try to figure it out, and I'll do that if needed and post the answer, but hoping someone has a ready answer. Due to nothingness in the "Source Network Address" and "Port" fields, and a hearty dash of common sense, I'm leaning towards "no" at this point, but I need to get some documented proof.
Subject:
Security ID: SYSTEM
Account Name: SERVERNAME$
Account Domain: MYDOMAIN
Logon ID: 0x3E7
Logon Type: 8
Impersonation Level: Impersonation
New Logon:
Security ID: MYDOMAINNETWORKNAME$
Account Name: NETWORKNAME$
Account Domain: MYDOMAIN
Logon ID: 0x1585080B
Logon GUID: c7e8d470-2185-9282-3261-5d7787520a0c
Process Information:
Process ID: 0x1b68
Process Name: C:WindowsClusterrhs.exe
Network Information:
Workstation Name: SERVERNAME
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
windows-server-2012-r2 windows-server-2016 windows-cluster
asked May 29 at 20:53
Tony HinkleTony Hinkle
39618
add a comment |
The Security team is flagging the following events showing logon type 8 (see Audit logon events), which has a description of "NetworkClearText." Based on what I've dug up so far, this isn't necessarily a problem if the associated network traffic is encrypted with SSL. I might presume that it's also of no (or little) concern if the logon is local and does not go over the wire.
These are occurring on clusters, and all evidence indicates that this is due to a cluster network name coming online, and the local system account is spinning up a session to impersonate the computer account associated with the cluster network name.
So are these going across the wire? Yes, I know I can Wireshark this and try to figure it out, and I'll do that if needed and post the answer, but hoping someone has a ready answer. Due to nothingness in the "Source Network Address" and "Port" fields, and a hearty dash of common sense, I'm leaning towards "no" at this point, but I need to get some documented proof.
Subject:
Security ID: SYSTEM
Account Name: SERVERNAME$
Account Domain: MYDOMAIN
Logon ID: 0x3E7
Logon Type: 8
Impersonation Level: Impersonation
New Logon:
Security ID: MYDOMAINNETWORKNAME$
Account Name: NETWORKNAME$
Account Domain: MYDOMAIN
Logon ID: 0x1585080B
Logon GUID: c7e8d470-2185-9282-3261-5d7787520a0c
Process Information:
Process ID: 0x1b68
Process Name: C:WindowsClusterrhs.exe
Network Information:
Workstation Name: SERVERNAME
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
windows-server-2012-r2 windows-server-2016 windows-cluster
asked May 29 at 20:53
Tony HinkleTony Hinkle
39618
add a comment |
The Security team is flagging the following events showing logon type 8 (see Audit logon events), which has a description of "NetworkClearText." Based on what I've dug up so far, this isn't necessarily a problem if the associated network traffic is encrypted with SSL. I might presume that it's also of no (or little) concern if the logon is local and does not go over the wire.
These are occurring on clusters, and all evidence indicates that this is due to a cluster network name coming online, and the local system account is spinning up a session to impersonate the computer account associated with the cluster network name.
So are these going across the wire? Yes, I know I can Wireshark this and try to figure it out, and I'll do that if needed and post the answer, but hoping someone has a ready answer. Due to nothingness in the "Source Network Address" and "Port" fields, and a hearty dash of common sense, I'm leaning towards "no" at this point, but I need to get some documented proof.
Subject:
Security ID: SYSTEM
Account Name: SERVERNAME$
Account Domain: MYDOMAIN
Logon ID: 0x3E7
Logon Type: 8
Impersonation Level: Impersonation
New Logon:
Security ID: MYDOMAINNETWORKNAME$
Account Name: NETWORKNAME$
Account Domain: MYDOMAIN
Logon ID: 0x1585080B
Logon GUID: c7e8d470-2185-9282-3261-5d7787520a0c
Process Information:
Process ID: 0x1b68
Process Name: C:WindowsClusterrhs.exe
Network Information:
Workstation Name: SERVERNAME
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
windows-server-2012-r2 windows-server-2016 windows-cluster
asked May 29 at 20:53
Tony HinkleTony Hinkle
39618
The Security team is flagging the following events showing logon type 8 (see Audit logon events), which has a description of "NetworkClearText." Based on what I've dug up so far, this isn't necessarily a problem if the associated network traffic is encrypted with SSL. I might presume that it's also of no (or little) concern if the logon is local and does not go over the wire.
These are occurring on clusters, and all evidence indicates that this is due to a cluster network name coming online, and the local system account is spinning up a session to impersonate the computer account associated with the cluster network name.
So are these going across the wire? Yes, I know I can Wireshark this and try to figure it out, and I'll do that if needed and post the answer, but hoping someone has a ready answer. Due to nothingness in the "Source Network Address" and "Port" fields, and a hearty dash of common sense, I'm leaning towards "no" at this point, but I need to get some documented proof.
Subject:
Security ID: SYSTEM
Account Name: SERVERNAME$
Account Domain: MYDOMAIN
Logon ID: 0x3E7
Logon Type: 8
Impersonation Level: Impersonation
New Logon:
Security ID: MYDOMAINNETWORKNAME$
Account Name: NETWORKNAME$
Account Domain: MYDOMAIN
Logon ID: 0x1585080B
Logon GUID: c7e8d470-2185-9282-3261-5d7787520a0c
Process Information:
Process ID: 0x1b68
Process Name: C:WindowsClusterrhs.exe
Network Information:
Workstation Name: SERVERNAME
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
windows-server-2012-r2 windows-server-2016 windows-cluster
windows-server-2012-r2 windows-server-2016 windows-cluster
asked May 29 at 20:53
Tony HinkleTony Hinkle
39618
asked May 29 at 20:53
Tony HinkleTony Hinkle
39618
asked May 29 at 20:53
Tony HinkleTony Hinkle
39618
asked May 29 at 20:53
Tony HinkleTony Hinkle
39618
asked May 29 at 20:53
Tony HinkleTony Hinkle
39618
39618
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969395%2fcluster-network-name-impersonation-logons-type-8%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969395%2fcluster-network-name-impersonation-logons-type-8%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
