Site Logo - Coffee and Doughnut

The Lazy IT Admin

Automating IT one script at a time!
Menu
Close

SharePoint Behavior Using CrashOnAuditFail

By James|02/16/2017|

CrashOnAuditFail Defined

The purpose of the CrashonAuditFail registry key is to configure a server so that end users are not permitted access to the computer when the security logs reach the configured size limit. Disallowing access to the computer ensures that audit information that would otherwise be logged is not missed.  The system also uses this entry to indicate that this feature has been triggered (a value of 2). When the value of this entry is 2, only members of the Administrators group can log on to the computer. This restricted state lets an Administrator log on to resolve the problem and to reset the value of this entry to 1.

CrashOnAuditFail Settings

The CrashOnAuditFail registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\LSA.  Possible values include:

  • 0 The feature is off. The system does not halt, even when it cannot record events in the Security Log.  This is the default behavior if the CrashOnAuditFail key does not exist.
  • 1 The feature is on. The system halts when it cannot record an event in the Security Log.
  • 2 The feature is on and has been triggered. The system halted because it could not record an auditable event in the Security Log. Only members of the administrators group can log on.

SharePoint Behavior After Crash Occurs

Once CrashOnAuditFail is triggered, a variety of strange behaviors may occur:

  • If anonymous access is enabled, portal access may be unaffected
  • If anonymous access is disabled, only members of the administrators group will be able to access the portal.  Regular users will not be able to authenticate.
  • SharePoint service applications which use service accounts that are not members of the administrators group will stop working.
  • If the affected system is a SharePoint SQL server, access to the SharePoint databases will fail unless the SQL service account is a member of the administrators group.

The security log will show failed log on events (ID 4625) for regular users attempting to authenticate and access the portal:

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Some_Account
Account Domain: Windows_Domain

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006e
Sub Status: 0x0

Restoring SharePoint Access

To restore access, an administrator must log onto the affected system, clear the security event log and update the CrashOnAuditFail registry key.  You may want to back up the security event log before clearing it.  Reboot the system once the security event log is cleared and the registry key has been updated.

Security Event Log Settings and Archiving

Security log settings and an automated archiving solution are discussed here.

References

Microsoft TechNet CrashOnAuditFail

Microsoft TechNet CrashOnAuditFail in effect

Copyright 2011 - 2024 The Lazy IT Admin | All Rights Reserved
Visit our LinkedInVisit our RSS feed
menu-circlecross-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram