This is an important message for users of Applications Manager regarding the new Microsoft update released in April 2024 (KB5036909 for Windows Server). This update might lead to an increase in Windows security event ID 4634 within your environment.
When a logon session is terminated, event 4634 is generated. Unlike Event ID 4647, it doesn't necessarily mean a user intentionally logged out. Various scenarios can lead to session termination, such as a computer going to sleep mode, a network connection dropping abruptly, or a system crash.
The April 2024 security update for Windows Server might cause a significant increase in NTLM authentication traffic on domain controllers (DCs). This surge in NTLM attempts can strain authentication processes, potentially leading to more frequent occurrences of failed logoff. This can result in a rise of Windows security event ID 4634 being logged, indicating terminated sessions rather than successful logoffs.
Applications Manager typically collects data every 5 minutes and performs login/off operations 3-5 times per data collection, which amounts to approximately 1000+ events getting generated per day per server.
Applications Manager's users who use the WMI mode of monitoring for Microsoft applications like Windows, IIS servers, etc, without Kerberos Authentication might be impacted.
Note: This does not mean that every system with the April 2024 update applied will face this issue. Since the exact root-cause of this issue has not been disclosed by Microsoft, we cannot determine the environments where this issue is likely to occur.
Even though Event ID 4634 may get generated in bulk, the data collection and monitoring in Applications Manager is not affected. There are two ways to fix this issue:
Microsoft has addressed the issue in the May 2024 update. Updating to the latest version will reduce the Event ID 4634 generation. Depending on the Windows server version used in your environment, the update with the fix is given below:
Switching to Kerberos mode eliminates the event surge and improves overall security. Migrating to Kerberos mode will require some configuration changes within Applications Manager (Edit the respective monitor and Enable Kerberos mode of authentication). Ensure your environment is compatible with Kerberos authentication for WMI communication.
It allows us to track crucial metrics such as response times, resource utilization, error rates, and transaction performance. The real-time monitoring alerts promptly notify us of any issues or anomalies, enabling us to take immediate action.
Reviewer Role: Research and Development
Tech Support Manager, Lexmark