Audit Failure in Security log every 10 minutes or so - "Unknown user name or bad password"

Hi,

  • Octopus Version: 3.11.4
  • Operating System: Windows Server 2012 R2
  • Running the OctopusDeploy Windows process as a domain service account

As the title says, every 10 minutes or so we are seeing audit failures in the Security event viewer saying that the domain service account we’re using for the OctopusDeploy Windows process has an “Unknown user name or bad password”. There’s nothing wrong with the username or password, since Octopus Deploy is working fine. We’ve run Process Monitor (from sysinternals) and seen some events that correspond with the timing of the audit failures in the Security log. I’ve attached a screenshot from procmon (disregard the red lines - they were used to point out the timestamps to internal staff).

I don’t really know what activeds.tld is, but it sounds like Active Directory is involved here. We’re using Active Directory integration for authenticating users in Octopus.

Can you help shine some light on what this might be? We would really like to get rid of all these audit failures.

/Trond

auditfailure_octopus.server.exe_activeds.txt (1 KB)

Hi Trond,

Thanks for getting in touch. Sorry to hear you’re getting these errors in the event log. I cannot find any evidence that we use activeds.tld directly, so at this stage I’m unsure what is triggering its use.

You mentioned that you are using Active Directory authentication, do you know whether you are using the default Authentication Scheme? i.e. do you know if you’re using Ntlm? The log you attached mentioned Kerberos, so I just wanted to check.

One reason I could think of for the process having to authenticate is when access network resources. Do you have any of the Octopus logs or anything configured on network paths?

Is it possible that the password on the service account has expired? The service will continue running if it was running prior to the password expiring, but you will get errors at certain points.

Regards
Shannon