We have a server running SQL 2008 R1. We have a web server in the DMZ that connects through the firewall to the SQL server and executes SQL Reporting Services reports using a domain user account.
On the SQL server, the event log has been auditing failed "Account Logon" events (event ID 680, code 0xC0000064) for this domain user. However, for each of these failure events, there is a successful Logon/Logoff event (event ID 540) for the same domain account. It should be noted that the username in the Account Logon events is specified as the UPN username@domain.com), but the username in the Logon/Logoff events is specified as DOMAIN\Username. These events must be related to SSRS seeing as that is the only connection that should be using the account in question.
In addition, while monitoring our domain controller, each time one of the Account Logon events shows up, the domain controller CPU usage spikes to 80% or higher. I'm not sure if the two are related.
In my research, everything I have read indicates that Account Logon events are logged by domain controllers when authenticating a user. Therefore, my questions are:
- Why is my SQL server logging Account Logon events if they are supposed to be a domain controller event?
- Why is the UPN specified in one event, but the DOMAIN\Username format specified in another event?
- I'm not noticing any disruption in my application, so the failed logons are not affecting it. Why would this be?
UPDATE:
We have the same web application running on our Intranet as well. I just noticed that this application does not cause these same events to be generated. When that application connects to SSRS, it logs a couple successful Logon/Logoff events, but no Account Logon events at all. Therefore, this seems to be related to the other server being in the DMZ. I also noticed that the events generated by the Intranet connections show Kerberos as the authentication method used. However, the successful Logon/Logoff events generated from the DMZ connections indicate NTLM.