User Account for Composer failing credential validation – lots of audit failures

1) In the Security log on our vCenter server we see an Event 4776 Audit Failure entry for the service account used for Composer, which is then followed by a successful logon for the service account. This is occurring every few seconds to every few minutes.

2) Additionally, in Horizon Administrator on both connection servers, we get the following warning once or twice a day:

vCenter at address https://VCENTER.XXXX.YYYY.EDU:443/sdk has invalid credentials

Everything in Horizon seems to be working fine, so I'm not sure if I need to be concerned with these or not.

- I’ve re-entered the credentials for the composer service account in the Horizon console (via View Configuration – Servers - vCenter Servers) on both connection servers. I can log into vSphere using that service account successfully.  Rebooted vCenter server so all VMware services were restarted. The service account has Administrator role in vSphere and local admin rights on the server.

Environment: 

- Horizon 7.3.2 - Two connection servers, one for internal use, one for external user paired with a security server.

- vSphere 6.5

In the vCenter server Security log:

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 2/20/2018 4:23:28 PM

Event ID: 4776

Task Category: Credential Validation

Level: Information

Keywords: Audit Failure

User: N/A

Computer: VCenter.xxxx.yyyy.edu

Description:

The computer attempted to validate the credentials for an account.

Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon Account:  service_Composer

Source Workstation:   VCENTER

Error Code:     0xC0000064

This is immediately followed by successful log on for the same service account:

Event ID:      4648

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 2/20/2018 4:23:28 PM

Event ID: 4648

Task Category: Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: VCenter.xxxx.yyyy.edu

Description:

A logon was attempted using explicit credentials.

Subject:

     Security ID:          SYSTEM

     Account Name:         VCENTER$

     Account Domain:       OUR_DOMAIN

     Logon ID:       0x3E7

     Logon GUID:           {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:

     Account Name:         service_Composer

     Account Domain:       OUR_DOMAIN

     Logon GUID:           {00000000-0000-0000-0000-000000000000}

Target Server:

     Target Server Name:   localhost

     Additional Information:    localhost

Process Information:

     Process ID:           0x870

     Process Name:         D:\Program Files (x86)\VMware\VMware View Composer\SviWebService.exe

Network Information:

     Network Address: -

     Port:           -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

Event ID:      4624

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 2/20/2018 4:23:28 PM

Event ID: 4624

Task Category: Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: VCenter.xxxx.yyyy.edu

Description:

An account was successfully logged on.

Subject:

     Security ID:          SYSTEM

     Account Name:         VCENTER$

     Account Domain:       OUR_DOMAIN

     Logon ID:       0x3E7

Logon Type:                8

Impersonation Level:       Impersonation

New Logon:

     Security ID:          OUR_DOMAIN\service_Composer

     Account Name:         service_Composer

     Account Domain:       OUR_DOMAIN

     Logon ID:       0x9A7BCD9

     Logon GUID:           {00000000-0000-0000-0000-000000000000}

Process Information:

     Process ID:           0x870

     Process Name:         D:\Program Files (x86)\VMware\VMware View Composer\SviWebService.exe

Network Information:

     Workstation Name:     VCENTER

     Source Network Address:    -

     Source Port:          -

Detailed Authentication Information:

     Logon Process:        Advapi 

     Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

     Transited Services:   -

     Package Name (NTLM only):  -

     Key Length:           0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.

     - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.

     - Transited services indicate which intermediate services have participated in this logon request.

     - Package name indicates which sub-protocol was used among the NTLM protocols.

     - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Event ID:      4672

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 2/20/2018 4:23:28 PM

Event ID: 4672

Task Category: Special Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: VCenter.xxxx.yyyy.edu

Description:

Special privileges assigned to new logon.

Subject:

     Security ID:          OUR_DOMAIN\service_Composer

     Account Name:         service_Composer

     Account Domain:       OUR_DOMAIN

     Logon ID:       0x9A7BCD9

Privileges:           SeSecurityPrivilege

                SeTakeOwnershipPrivilege

                SeLoadDriverPrivilege

                SeBackupPrivilege

                SeRestorePrivilege

                SeDebugPrivilege

                SeSystemEnvironmentPrivilege

                SeImpersonatePrivilege

Vpxd log from vCenter server:

1. For the Event ID 4776 audit failures, no errors are listed in the vpxd log for the audit failure times shown in event viewer.

    2.For the warning “vCenter at address https://VCENTER.XXXX.YYYY.EDU:443/sdk has invalid credentials”  the vpxd logs has entries such as

2018-02-22T06:00:24.370-07:00 info vpxd[10248] [Originator@6876 sub=vpxLro opID=4571102e] [VpxLRO] -- BEGIN lro-221825 -- SessionManager -- vim.SessionManager.login -- 52e0c5f1-f27b-0e0b-b161-e9adf5b8f4e0

2018-02-22T06:00:24.372-07:00 error vpxd[10248] [Originator@6876 sub=[SSO] opID=4571102e] [UserDirectorySso] AcquireToken exception: class SsoClient::CommunicationException(An established connection was aborted by the software in your host machine)

--> [context]zKq8NBMEAAAABCFDTbwAddnB4ZAAASi0fdm1hY29yZS5kbGwAAACHBgDesAYAtEECAdEkAnNzb0NsaWVudC5kbGwAAVRLBAIgaQZNU1ZDUjEyMC5kbGwAAm3jBQODKgludGRsbC5kbGwAAREfAgHSwgEE0HUQdnB4ZC5leGUABNb4cAS/8nAEG0pwBSfUDnZpbS10eXBlcy5kbGwABufcBHZtb21pLmRsbAAEdvEMBH+oCwTh3gsEzaMLBKbLCwCraBgAnHgYAIkLIgJ/TwICJlECB9ITAEtFUk5FTDMyLkRMTAAD9FQB[/context]

2018-02-22T06:00:24.375-07:00 error vpxd[10248] [Originator@6876 sub=User opID=4571102e] Failed to authenticate user <Our_Domain\service_Composer

2018-02-22T06:00:27.376-07:00 info vpxd[10248] [Originator@6876 sub=Default opID=4571102e] [VpxLRO] -- ERROR lro-221825 -- SessionManager -- vim.SessionManager.login: vim.fault.InvalidLogin:

--> Result:

--> (vim.fault.InvalidLogin) {

-->    faultCause = (vmodl.MethodFault) null,

-->    faultMessage = <unset>

-->    msg = ""

--> }

--> Args:

-->

--> Arg userName:

--> "Our_Domain\service_Composer"

--> Arg password:

--> (not shown)

-->

--> Arg locale:

-->

Connection Server logs:

1) For the warning “vCenter at address https://VCENTER.XXXX.YYYY.EDU:443/sdk has invalid credentials”  the  connection server log has entries such as:

2018-02-22T06:00:26.937-07:00 ERROR (10B4-16B0) <VCHealthUpdate> [ServiceConnection25] Invalid VC login. Check username and password for VirtualCenter at https://VCENTER.XXXX.YYYY.EDU:443/sdk

2018-02-22T06:01:33.210-07:00 INFO  (10B4-1AE0) <CacheRefreshThread-https://VCENTER.XXXX.YYYY.EDU:443/sdk> [CacheManager] Populating temporary stores for cache from VC Our_Domain\service_Composer@https://vCenter.xxxx.yyyy.edu:443/sdk

2018-02-22T06:01:33.302-07:00 INFO  (10B4-1AE0) <CacheRefreshThread-https://VCENTER.XXXX.YYYY.EDU:443/sdk> [CacheManager] Temporary stores for cache populated for VC Our_Domain\service_Composer@https://vCenter.xxxx.yyyy.edu:443/sdk

And the application event log on the connection server shows:

BROKER_VC_STATUS_CHANGED_INVALID_CREDENTIALS

vCenter at address https://VCENTER.XXXX.YYYY.EDU:443/sdk has invalid credentials

Attributes:

                Node=OUR_DOMAINPCON.Our_Domain.YYYY.edu

                Severity=WARNING

                Time=Thu Feb 22 06:00:26 MST 2018

                VCAddress=https://VCENTER.XXXX.YYYY.EDU:443/sdk

                Module=Broker

                Source=com.vmware.vdi.broker.health.l

                Acknowledged=true

Thank you for any assistance.