We have created a local account to run the CPOSSH service. We are now constantly seeing audit failures on our domain controller where the server is trying to authenticate the local account against the domain and it is even using the local server in the login. So the audits show <local server>\<account name> as the login on the domain controller. The odd thing is that everything is working correctly. So, my question is why is this trying to authenticate againts the domain and what might be we doing to cause that?
Do you also have a domain account with the same name as your local account ? It may help to use a local account non-existent in your domain.
We do not have a similar domain account. The local account was created for security reasons. I did read another post where you said the following:
Windows requires an access token provided by a user/password combination, which is non-existant in PKA authentication. Instead, service account credentials are used as a replacement.
Could this be the case? It would still be strange since the local account is specifically called out to run the servive so you would think it would authenticate locally.
Comment you refer to is about a pecularity about PKA authentication in which credentials of the service account is used, due to lack of similar native functionality in Windows. I was just thinking if your server is a domain member - if this is the case, domain authentication takes precedence somehow. However, as you say that you do not a domain account with the same name, this is probably not the problem.
Copssh uses available authentication layers in Windows. I have no idea why a local account creates audit entries at your domain controller. It seems to me as a windows specific problem.
Thank you for your reply. We are getting about 40,000 audit failures a day so I am going to keep working on it. If I find a solution I will post it here.