4 Replies Latest reply on Dec 12, 2018 6:36 AM by prince55241000

    User Account for Composer failing credential validation – lots of audit failures

    PaulMurphyCO Novice

      1) In the Security log on our vCenter server we see an Event 4776 Audit Failure entry for the service account used for Composer, which is then followed by a successful logon for the service account. This is occurring every few seconds to every few minutes.

       

      2) Additionally, in Horizon Administrator on both connection servers, we get the following warning once or twice a day:

       

      vCenter at address https://VCENTER.XXXX.YYYY.EDU:443/sdk has invalid credentials

       

      Everything in Horizon seems to be working fine, so I'm not sure if I need to be concerned with these or not.

       

      - I’ve re-entered the credentials for the composer service account in the Horizon console (via View Configuration – Servers - vCenter Servers) on both connection servers. I can log into vSphere using that service account successfully.  Rebooted vCenter server so all VMware services were restarted. The service account has Administrator role in vSphere and local admin rights on the server.

       

      Environment: 

      - Horizon 7.3.2 - Two connection servers, one for internal use, one for external user paired with a security server.

      - vSphere 6.5

       

      In the vCenter server Security log:

      Log Name: Security

      Source: Microsoft-Windows-Security-Auditing

      Date: 2/20/2018 4:23:28 PM

      Event ID: 4776

      Task Category: Credential Validation

      Level: Information

      Keywords: Audit Failure

      User: N/A

      Computer: VCenter.xxxx.yyyy.edu

      Description:

      The computer attempted to validate the credentials for an account.

       

      Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

      Logon Account:  service_Composer

      Source Workstation:   VCENTER

      Error Code:     0xC0000064

       

      This is immediately followed by successful log on for the same service account:

       

      Event ID:      4648

      Log Name: Security

      Source: Microsoft-Windows-Security-Auditing

      Date: 2/20/2018 4:23:28 PM

      Event ID: 4648

      Task Category: Logon

      Level: Information

      Keywords: Audit Success

      User: N/A

      Computer: VCenter.xxxx.yyyy.edu

      Description:

      A logon was attempted using explicit credentials.

       

      Subject:

           Security ID:          SYSTEM

           Account Name:         VCENTER$

           Account Domain:       OUR_DOMAIN

           Logon ID:       0x3E7

           Logon GUID:           {00000000-0000-0000-0000-000000000000}

       

      Account Whose Credentials Were Used:

           Account Name:         service_Composer

           Account Domain:       OUR_DOMAIN

           Logon GUID:           {00000000-0000-0000-0000-000000000000}

       

      Target Server:

           Target Server Name:   localhost

           Additional Information:    localhost

       

      Process Information:

           Process ID:           0x870

           Process Name:         D:\Program Files (x86)\VMware\VMware View Composer\SviWebService.exe

       

      Network Information:

           Network Address: -

           Port:           -

       

      This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

       

       

      Event ID:      4624

      Log Name: Security

      Source: Microsoft-Windows-Security-Auditing

      Date: 2/20/2018 4:23:28 PM

      Event ID: 4624

      Task Category: Logon

      Level: Information

      Keywords: Audit Success

      User: N/A

      Computer: VCenter.xxxx.yyyy.edu

      Description:

      An account was successfully logged on.

       

      Subject:

           Security ID:          SYSTEM

           Account Name:         VCENTER$

           Account Domain:       OUR_DOMAIN

           Logon ID:       0x3E7

       

      Logon Type:                8

       

      Impersonation Level:       Impersonation

       

      New Logon:

           Security ID:          OUR_DOMAIN\service_Composer

           Account Name:         service_Composer

           Account Domain:       OUR_DOMAIN

           Logon ID:       0x9A7BCD9

           Logon GUID:           {00000000-0000-0000-0000-000000000000}

       

      Process Information:

           Process ID:           0x870

           Process Name:         D:\Program Files (x86)\VMware\VMware View Composer\SviWebService.exe

       

      Network Information:

           Workstation Name:     VCENTER

           Source Network Address:    -

           Source Port:          -

       

      Detailed Authentication Information:

           Logon Process:        Advapi 

           Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

           Transited Services:   -

           Package Name (NTLM only):  -

           Key Length:           0

       

      This event is generated when a logon session is created. It is generated on the computer that was accessed.

       

      The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

       

      The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

       

      The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

       

      The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

       

      The impersonation level field indicates the extent to which a process in the logon session can impersonate.

       

      The authentication information fields provide detailed information about this specific logon request.

           - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.

           - Transited services indicate which intermediate services have participated in this logon request.

           - Package name indicates which sub-protocol was used among the NTLM protocols.

           - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

       

       

       

      Event ID:      4672

      Log Name: Security

      Source: Microsoft-Windows-Security-Auditing

      Date: 2/20/2018 4:23:28 PM

      Event ID: 4672

      Task Category: Special Logon

      Level: Information

      Keywords: Audit Success

      User: N/A

      Computer: VCenter.xxxx.yyyy.edu

      Description:

      Special privileges assigned to new logon.

       

      Subject:

           Security ID:          OUR_DOMAIN\service_Composer

           Account Name:         service_Composer

           Account Domain:       OUR_DOMAIN

           Logon ID:       0x9A7BCD9

       

      Privileges:           SeSecurityPrivilege

                      SeTakeOwnershipPrivilege

                      SeLoadDriverPrivilege

                      SeBackupPrivilege

                      SeRestorePrivilege

                      SeDebugPrivilege

                      SeSystemEnvironmentPrivilege

                      SeImpersonatePrivilege

       

       

      Vpxd log from vCenter server:

      1. For the Event ID 4776 audit failures, no errors are listed in the vpxd log for the audit failure times shown in event viewer.

       

          2. For the warning “vCenter at address https://VCENTER.XXXX.YYYY.EDU:443/sdk has invalid credentials”  the vpxd logs has entries such as

       

      2018-02-22T06:00:24.370-07:00 info vpxd[10248] [Originator@6876 sub=vpxLro opID=4571102e] [VpxLRO] -- BEGIN lro-221825 -- SessionManager -- vim.SessionManager.login -- 52e0c5f1-f27b-0e0b-b161-e9adf5b8f4e0

       

      2018-02-22T06:00:24.372-07:00 error vpxd[10248] [Originator@6876 sub=[SSO] opID=4571102e] [UserDirectorySso] AcquireToken exception: class SsoClient::CommunicationException(An established connection was aborted by the software in your host machine)

      --> [context]zKq8NBMEAAAABCFDTbwAddnB4ZAAASi0fdm1hY29yZS5kbGwAAACHBgDesAYAtEECAdEkAnNzb0NsaWVudC5kbGwAAVRLBAIgaQZNU1ZDUjEyMC5kbGwAAm3jBQODKgludGRsbC5kbGwAAREfAgHSwgEE0HUQdnB4ZC5leGUABNb4cAS/8nAEG0pwBSfUDnZpbS10eXBlcy5kbGwABufcBHZtb21pLmRsbAAEdvEMBH+oCwTh3gsEzaMLBKbLCwCraBgAnHgYAIkLIgJ/TwICJlECB9ITAEtFUk5FTDMyLkRMTAAD9FQB[/context]

       

      2018-02-22T06:00:24.375-07:00 error vpxd[10248] [Originator@6876 sub=User opID=4571102e] Failed to authenticate user <Our_Domain\service_Composer

       

      2018-02-22T06:00:27.376-07:00 info vpxd[10248] [Originator@6876 sub=Default opID=4571102e] [VpxLRO] -- ERROR lro-221825 -- SessionManager -- vim.SessionManager.login: vim.fault.InvalidLogin:

      --> Result:

      --> (vim.fault.InvalidLogin) {

      -->    faultCause = (vmodl.MethodFault) null,

      -->    faultMessage = <unset>

      -->    msg = ""

      --> }

      --> Args:

      -->

      --> Arg userName:

      --> "Our_Domain\service_Composer"

      --> Arg password:

      --> (not shown)

      -->

      --> Arg locale:

      -->

       

       

      Connection Server logs:

       

      1) For the warning “vCenter at address https://VCENTER.XXXX.YYYY.EDU:443/sdk has invalid credentials”  the  connection server log has entries such as:

       

      2018-02-22T06:00:26.937-07:00 ERROR (10B4-16B0) <VCHealthUpdate> [ServiceConnection25] Invalid VC login. Check username and password for VirtualCenter at https://VCENTER.XXXX.YYYY.EDU:443/sdk

      2018-02-22T06:01:33.210-07:00 INFO  (10B4-1AE0) <CacheRefreshThread-https://VCENTER.XXXX.YYYY.EDU:443/sdk> [CacheManager] Populating temporary stores for cache from VC Our_Domain\service_Composer@https://vCenter.xxxx.yyyy.edu:443/sdk

      2018-02-22T06:01:33.302-07:00 INFO  (10B4-1AE0) <CacheRefreshThread-https://VCENTER.XXXX.YYYY.EDU:443/sdk> [CacheManager] Temporary stores for cache populated for VC Our_Domain\service_Composer@https://vCenter.xxxx.yyyy.edu:443/sdk

       

      And the application event log on the connection server shows:

       

      BROKER_VC_STATUS_CHANGED_INVALID_CREDENTIALS

      vCenter at address https://VCENTER.XXXX.YYYY.EDU:443/sdk has invalid credentials

       

      Attributes:

                      Node=OUR_DOMAINPCON.Our_Domain.YYYY.edu

                      Severity=WARNING

                      Time=Thu Feb 22 06:00:26 MST 2018

                      VCAddress=https://VCENTER.XXXX.YYYY.EDU:443/sdk

                      Module=Broker

                      Source=com.vmware.vdi.broker.health.l

                      Acknowledged=true

       

      Thank you for any assistance.