{"id":745,"date":"2012-08-07T11:18:31","date_gmt":"2012-08-07T03:18:31","guid":{"rendered":"http:\/\/www.jhouseconsulting.com\/?p=745"},"modified":"2012-08-08T09:46:06","modified_gmt":"2012-08-08T01:46:06","slug":"netapp-filers-and-vfilers-generating-netlogon-event-id-5722-errors-on-windows-2008-r2-domain-controllers","status":"publish","type":"post","link":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/2012\/08\/07\/netapp-filers-and-vfilers-generating-netlogon-event-id-5722-errors-on-windows-2008-r2-domain-controllers-745","title":{"rendered":"NetApp Filers and vFilers generating Netlogon Event ID 5722 errors on Windows 2008 R2 Domain Controllers"},"content":{"rendered":"<p>I have a customer where the NetApp Filers and vFilers are generating Netlogon Event ID 5722 in the System event log on the Windows 2008 R2 Domain Controllers.<\/p>\n<p><strong>Example:<\/strong><\/p>\n<p style=\"padding-left: 30px;\">Log Name: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 System<br \/>\nSource: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0NETLOGON<br \/>\nDate: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 18\/07\/2012 11:32:22 AM<br \/>\nEvent ID: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 5722<br \/>\nTask Category: \u00a0 \u00a0None<br \/>\nLevel: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Error<br \/>\nKeywords: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Classic<br \/>\nUser: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0N\/A<br \/>\nComputer: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 dc1.mydomain.com<br \/>\nDescription:<br \/>\nThe session setup from the computer vfiler1 failed to authenticate. The name(s) of the account(s) referenced in the security database is vfiler1$.\u00a0 The following error occurred:<br \/>\nThe system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.<\/p>\n<p style=\"padding-left: 30px;\"><!--more--><\/p>\n<p><strong>Debugging:<\/strong><\/p>\n<ul>\n<li>Enabling Netlogon debugging as recommended by Microsoft by running the Nltest.exe command line as documented in <a href=\"http:\/\/support.microsoft.com\/kb\/942564\" target=\"_blank\">KB942564<\/a>.<\/li>\n<\/ul>\n<p style=\"padding-left: 60px;\">Nltest.exe \/DBFLAG:2000FFFF<\/p>\n<ul>\n<li>Review of the Netlogon.log file shows us the following:<\/li>\n<\/ul>\n<pre class=\"brush: plain; gutter: false; title: ; toolbar: false; notranslate\" title=\"\">\r\n07\/18 11:32:22 &#x5B;SESSION] MYDOMAIN: NetrServerAuthenticate entered: vfiler1 () on account vfiler1$ (Negot: 701ff)\r\n07\/18 11:32:22 &#x5B;SESSION] NetrServerAuthenticate3: the client vfiler1$ is asking for NT4 crypto and this server disallows it.\r\n07\/18 11:32:22 &#x5B;MISC] Eventlog: 5722 (1) &quot;vfiler1&quot; &quot;vfiler1$&quot; 0xc0000388 d0706242 73ca0006 205b4f26 3a297e85   Bbp....s&amp;O&#x5B; .~):\r\n07\/18 11:32:22 &#x5B;CRITICAL] Failed to get client's address: 0x000006e4\r\n07\/18 11:32:22 &#x5B;SESSION] MYDOMAIN: NetrServerAuthenticate entered: vfiler1 () on account vfiler1$ (Negot: 741ff)\r\n07\/18 11:32:22 &#x5B;SESSION] MYDOMAIN: NetrServerAuthenticate returns Success: vfiler1 on account vfiler1$ (Negot: 741ff)\r\n<\/pre>\n<ul>\n<li>Note that even though the time stamps are the same, the Netlogon.log file reads from top to bottom.<\/li>\n<\/ul>\n<p><strong>Explanation:<\/strong><\/p>\n<ul>\n<li>The vFiler first attempts to authenticate using the Windows NT4 cryptography algorithm.<\/li>\n<li>The Domain Controller disallows it.<\/li>\n<li>A 5722 (NETLOGON) error is logged in the System Event log with the following Description:\n<ul>\n<li>The session setup from the computer vfiler1 failed to authenticate. The name(s) of the account(s) referenced in the security database is vfiler1$.<\/li>\n<li>The following error occurred: The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.<\/li>\n<\/ul>\n<\/li>\n<li>The \u201cFailed to get client&#8217;s address: 0x000006e4\u201d error simply means that the RPC bind failed (RPC_S_CANNOT_SUPPORT), which is to be expected.<\/li>\n<li>The vFiler re-attempts the authentication using STRONG KEY SUPPORT as per the 15<sup>th<\/sup> bit in the Client Capabilities NegotiateFlags.<\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\">NegotiateFlags is a pointer to a 32-bit set of bit flags in little-endian format that indicate features supported. As input, the set of flags are those requested by the client and SHOULD be the same as <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/cc237160(v=prot.10).aspx\" target=\"_blank\">ClientCapabilities<\/a>. As output, they are the bit-wise AND of the client&#8217;s requested capabilities and the server&#8217;s <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/cc237221(v=prot.10).aspx\" target=\"_blank\">ServerCapabilities<\/a>. For more details, see the <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/cc237128(v=prot.10).aspx\" target=\"_blank\">Netlogon Negotiable Options<\/a><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"top\"><strong>\u00a0<\/strong><\/td>\n<td colspan=\"32\" valign=\"top\">\n<p align=\"center\"><strong>The 32-bit Binary Representation of the Client Capabilities NegotiateFlags<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><strong>701ff hex<\/strong><\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><strong>Options<\/strong><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\">S<\/td>\n<td valign=\"top\">R<\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\">I<\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\">G<\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\">C<\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<\/tr>\n<tr>\n<td colspan=\"33\" valign=\"top\"><\/td>\n<\/tr>\n<tr>\n<td colspan=\"33\" valign=\"top\"><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><strong>741ff hex<\/strong><\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">0<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<td valign=\"top\">1<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><strong>Options<\/strong><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\">S<\/td>\n<td valign=\"top\">R<\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\">O<\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\">I<\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\">G<\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\">C<\/td>\n<td valign=\"top\"><\/td>\n<td valign=\"top\"><\/td>\n<\/tr>\n<tr>\n<td colspan=\"33\" valign=\"top\"><\/td>\n<\/tr>\n<tr>\n<td colspan=\"33\" valign=\"top\"><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"71\">\n<p align=\"center\"><strong>Option<\/strong><\/p>\n<\/td>\n<td colspan=\"32\" valign=\"top\" width=\"693\">\n<p align=\"center\"><strong>Meaning<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"71\">\n<p align=\"center\">C<\/p>\n<\/td>\n<td colspan=\"32\" valign=\"top\" width=\"693\">Supports <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/b5e7d25a-40b2-41c8-9611-98f53358af66(v=prot.10)#rc4\" target=\"_blank\">RC4<\/a> encryption.<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"71\">\n<p align=\"center\">G<\/p>\n<\/td>\n<td colspan=\"32\" valign=\"top\" width=\"693\">Does not require ValidationLevel 2 for nongeneric passthrough.<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"71\">\n<p align=\"center\">I<\/p>\n<\/td>\n<td colspan=\"32\" valign=\"top\" width=\"693\">Supports RefusePasswordChange.<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"71\">\n<p align=\"center\">O<\/p>\n<\/td>\n<td colspan=\"32\" valign=\"top\" width=\"693\">Supports strong keys.<a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/0c858a52-732a-43ec-85dd-e44b357c1898(v=prot.10)#id67\" target=\"_blank\">&lt;67&gt;<\/a><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"71\">\n<p align=\"center\">R<\/p>\n<\/td>\n<td colspan=\"32\" valign=\"top\" width=\"693\">Supports the <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/cc237243(v=prot.10).aspx\" target=\"_blank\">NetrServerPasswordSet2<\/a> functionality.<a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/0c858a52-732a-43ec-85dd-e44b357c1898(v=prot.10)#id69\" target=\"_blank\">&lt;69&gt;<\/a><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"71\">\n<p align=\"center\">S<\/p>\n<\/td>\n<td colspan=\"32\" valign=\"top\" width=\"693\">Supports the <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/cc237247(v=prot.10).aspx\" target=\"_blank\">NetrLogonGetDomainInfo<\/a> functionality.<a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/0c858a52-732a-43ec-85dd-e44b357c1898(v=prot.10)#id70\" target=\"_blank\">&lt;70&gt;<\/a><\/td>\n<\/tr>\n<tr>\n<td colspan=\"33\" valign=\"top\" width=\"764\"><\/td>\n<\/tr>\n<tr>\n<td colspan=\"33\" valign=\"top\" width=\"764\"><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Conclusion:<\/strong><\/p>\n<p>NetApp\u2019s advice in their <a href=\"https:\/\/kb.netapp.com\/support\/index?page=content&amp;id=2013862\" target=\"_blank\">KB2013862<\/a> article to make the change as recommended in Microsoft <a href=\"http:\/\/support.microsoft.com\/kb\/942564\" target=\"_blank\">KB942564<\/a> is fairly poor. Whilst this can be successfully enabled for testing purposes, it is not a recommended solution due to the security implications. The NetApp KB article says that \u201c<em>For backward compatibility purposes, a NetApp Filer may try an older version of encryption for the session key during authentication<\/em>\u201d. Notice the use of the word \u201cmay\u201d? However, there is clearly no need to \u201clower\u201d security to use the older cryptography algorithms compatible with Windows NT, as the Filers and vFilers work as expected. This means that the error is benign and can be ignored. However, as it creates unnecessary errors in the Domain Controller event logs, it would be far better if NetApp added a configuration option to their Data ONTAP Operating System to instruct it to always use STRONG KEY SUPPORT. These unnecessary errors would then be avoided.<\/p>\n<p>For reference, the NetApps were running\u00a0Data ONTAP 8.0.2. Let&#8217;s hope that NetApp address this sooner than later.<\/p>\n<p><strong>Update as of 8<sup>th<\/sup> November 2012:<\/strong><\/p>\n<p>A friend (Christoph Wegener) pointed me to section 23.7 of the <a href=\"http:\/\/www.redbooks.ibm.com\/redpieces\/abstracts\/sg247129.html?Open\" target=\"_blank\">IBM System Storage N series Software Guide Redbook<\/a>\u00a0that states \u201cIf DNS is not enabled or is configured incorrectly, the domain joining phase either fails or, if a Microsoft Windows Internet-Naming Server (WINS) is running, assumes that the domain being joined is a Windows NT 4.0 domain\u201d. Reading this got me thinking that it could also affect the domain re-authentication process. In this case I have not deployed WINS and NetBIOS is also disabled. However, this may be valuable information when trying to understand why NetApp state that \u201ca NetApp Filer may try an older version of encryption for the session key during authentication\u201d. What if the response back from DNS was slow and timed out? There is nothing logged to prove this. But one certainly has to wonder if this is indeed a bug, or simply that a condition has been met that forces it to use an older version of encryption for the session key during authentication.\u00a0It would be nice to get some input from someone at NetApp that has a complete understanding of this process.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have a customer where the NetApp Filers and vFilers are generating Netlogon Event ID 5722 in the System event log on the Windows 2008 R2 Domain Controllers. Example: Log Name: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 System Source: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0NETLOGON Date: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 &#8230; <a title=\"NetApp Filers and vFilers generating Netlogon Event ID 5722 errors on Windows 2008 R2 Domain Controllers\" class=\"read-more\" href=\"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/2012\/08\/07\/netapp-filers-and-vfilers-generating-netlogon-event-id-5722-errors-on-windows-2008-r2-domain-controllers-745\" aria-label=\"Read more about NetApp Filers and vFilers generating Netlogon Event ID 5722 errors on Windows 2008 R2 Domain Controllers\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[202,203],"tags":[208,204,429,206,210,209,211,205,207],"class_list":["post-745","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-netapp","tag-domain-controller","tag-filers","tag-netapp","tag-netlogon-5722","tag-nt4-crypto","tag-nt4-cryptography-algorithm","tag-strong-key-support","tag-vfilers","tag-windows-2008"],"aioseo_notices":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts\/745","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/comments?post=745"}],"version-history":[{"count":55,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts\/745\/revisions"}],"predecessor-version":[{"id":804,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts\/745\/revisions\/804"}],"wp:attachment":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/media?parent=745"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/categories?post=745"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/tags?post=745"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}