Guest Spin Posted August 26, 2008 Posted August 26, 2008 Gurus, In the event log detail below, what exactly is the "Logon GUID" referring to? The transaction below represents a user named "TestUser" who accessed a network share on "SQLServer", from a machine who's IP address was 192.168.1.24. Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 8/26/2008 Time: 2:06:10 PM User: DOMAIN\TestUser Computer: SQLServer Description: Successful Network Logon: User Name: TestUser Domain: DOMAIN Logon ID: (0x0,0x55025) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {34942986-0087-5999-249a-e218464f6320} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 192.168.1.24 Source Port: 0 -- Spin Quote
Guest Spin Posted August 26, 2008 Posted August 26, 2008 And why would the "Workstation Name" be blank? Doesn't Windows know what workstation a user is coming from "over the network"? Granted, if this were an IIS server I would understand, but this was a case of a domain user hitting the system's network share from a domain computer, same subnet. Quote
Guest ChrisCJ21 Posted August 27, 2008 Posted August 27, 2008 Was the access over the network from a Windows 2000 machine? I may be wrong but I seem to remember that entries over the wire from 2K boxes have issues with populating 'Hostname' field. "Ken" wrote: <span style="color:blue"> > GUID (Global Unique Identified). This is the users SID from the SAM > database. In this case since it can enumerate the GUID to a user name I > would have to guess the event in question is from a device that is not a > domain member or does not allow for unauthenticated access to the SAM. Is > it possible this machine is not a domain member of the same domain as the > SQL server? > > > "Spin" <Spin@invalid.com> wrote in message > news:6hj07gFlvdg3U1@mid.individual.net...<span style="color:green"> > > Gurus, > > > > In the event log detail below, what exactly is the "Logon GUID" referring > > to? The transaction below represents a user named "TestUser" who accessed > > a network share on "SQLServer", from a machine who's IP address was > > 192.168.1.24. > > > > Event Type: Success Audit > > Event Source: Security > > Event Category: Logon/Logoff > > Event ID: 540 > > Date: 8/26/2008 > > Time: 2:06:10 PM > > User: DOMAINTestUser > > Computer: SQLServer > > Description: > > Successful Network Logon: > > User Name: TestUser > > Domain: DOMAIN > > Logon ID: (0x0,0x55025) > > Logon Type: 3 > > Logon Process: Kerberos > > Authentication Package: Kerberos > > Workstation Name: > > Logon GUID: {34942986-0087-5999-249a-e218464f6320} > > Caller User Name: - > > Caller Domain: - > > Caller Logon ID: - > > Caller Process ID: - > > Transited Services: - > > Source Network Address: 192.168.1.24 > > Source Port: 0 > > > > -- > > Spin > > </span> > </span> Quote
Guest Spin Posted August 27, 2008 Posted August 27, 2008 Still trying to understand what object the Logon GUID was referrign to in my original post. Quote
Guest wjr Posted August 27, 2008 Posted August 27, 2008 Spin wrote:<span style="color:blue"> > Gurus, > > In the event log detail below, what exactly is the "Logon GUID" referring > to? The transaction below represents a user named "TestUser" who accessed a > network share on "SQLServer", from a machine who's IP address was > 192.168.1.24. > > Event Type: Success Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 540 > Date: 8/26/2008 > Time: 2:06:10 PM > User: DOMAINTestUser > Computer: SQLServer > Description: > Successful Network Logon: > User Name: TestUser > Domain: DOMAIN > Logon ID: (0x0,0x55025) > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: > Logon GUID: {34942986-0087-5999-249a-e218464f6320} > Caller User Name: - > Caller Domain: - > Caller Logon ID: - > Caller Process ID: - > Transited Services: - > Source Network Address: 192.168.1.24 > Source Port: 0</span> Hope this helps. http://www.microsoft.com/technet/prodtechn...c.mspx?mfr=true Quote
Guest Joseph T Corey Posted August 28, 2008 Posted August 28, 2008 Actually, that's not the same GUID Spin is talking about. This Logon GUID is unique to the Kerberos ticket used for authentication. You would use this to correlate a logon event with security logs on a DC and the security logs on the machine being accessed. I'm not sure how that GUID is generated or how NTLM authentications are handled. Hope that little bit of info helps! -- Joseph T. Corey MCSE, MCITP-EA Windows Systems Administrator "wjr" <virtual2@gomonarch.com> wrote in message news:48B5D92C.10100@gomonarch.com...<span style="color:blue"> > > > Spin wrote:<span style="color:green"> >> Gurus, >> >> In the event log detail below, what exactly is the "Logon GUID" referring >> to? The transaction below represents a user named "TestUser" who >> accessed a network share on "SQLServer", from a machine who's IP address >> was 192.168.1.24. >> >> Event Type: Success Audit >> Event Source: Security >> Event Category: Logon/Logoff >> Event ID: 540 >> Date: 8/26/2008 >> Time: 2:06:10 PM >> User: DOMAINTestUser >> Computer: SQLServer >> Description: >> Successful Network Logon: >> User Name: TestUser >> Domain: DOMAIN >> Logon ID: (0x0,0x55025) >> Logon Type: 3 >> Logon Process: Kerberos >> Authentication Package: Kerberos >> Workstation Name: >> Logon GUID: {34942986-0087-5999-249a-e218464f6320} >> Caller User Name: - >> Caller Domain: - >> Caller Logon ID: - >> Caller Process ID: - >> Transited Services: - >> Source Network Address: 192.168.1.24 >> Source Port: 0</span> > Hope this helps. > > http://www.microsoft.com/technet/prodtechn...c.mspx?mfr=true > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.