你目前正处于脱机状态,正在等待 Internet 重新连接

安全事件 ID 4624 Windows 7 和 Windows Server 2008 R2 中的无效的客户端 IP 地址

重要说明:本文是由 Microsoft 机器翻译软件进行的翻译并可能由 Microsoft 社区通过社区翻译机构(CTF)技术进行后期编辑,或可能是由人工进行的翻译。Microsoft 同时向您提供机器翻译、人工翻译及社区后期编辑的文章,以便对我们知识库中的所有文章以多种语言提供访问。翻译的文章可能存在词汇、句法和/或语法方面的错误。Microsoft 对由于内容的误译或客户对内容的使用所导致的任何不准确、错误或损失不承担责任。

点击这里察看该文章的英文版: 3097467
症状
假定为 Windows 7 和 Windows Server 2008 R2 (KB2592687) 的远程桌面协议 (RDP) 8.0 更新已安装并启用了通过策略设置。当用户的远程桌面登录到该计算机时,安全事件 ID 4624 记录并显示无效的客户端 IP 地址和端口号,如下所示:

Log Name:      SecuritySource:        Microsoft-Windows-Security-AuditingDate:          9/14/2015 6:10:36 PMEvent ID:      4624Task Category: LogonLevel:         InformationKeywords:      Audit SuccessUser:          N/AComputer:      <computerFQDN> Description:An account was successfully logged on. Subject:       Security ID:            SYSTEM       Account Name:          < MachineName>$       Account Domain:         <DomainName>       Logon ID:         0x3e7  Logon Type:             10 New Logon:       Security ID:           < DomainName>\<username>       Account Name:          < UserName>       Account Domain:         <DomainName>       Logon ID:         0x35137       Logon GUID:       {00000000-0000-0000-0000-000000000000}  Process Information:       Process ID:       0x7cc       Process Name:           C:\Windows\System32\winlogon.exe Network Information:       Workstation Name:<computername>       Source Network Address: 244.230.0.0       Source Port:            0 Detailed Authentication Information:      Logon Process:          User32       Authentication Package: Negotiate      Transited Services:     -      Package Name (NTLM only):     -      Key Length:       0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.The authentication information fields provide detailed information about this specific logon request.       - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.       - Transited services indicate which intermediate services have participated in this logon request.       - Package name indicates which sub-protocol was used among the NTLM protocols.       - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
原因
由于 RDP 8.0 中的代码更改,会出现此问题。在 RDP 8.0 的客户端 IP 地址存储在 WTS_SOCKADDR 结构中。这不同于 RDP 7.0 (Windows 7 和 Windows Server 2008 R2 中的默认 RDP 版本)。

在 Windows 8 和 Windows Server 2012 (和更高版本的 Windows),用于记录该事件的代码逻辑是基于新设计重写。它可以防止发生此问题。
解决方案
要解决此问题,请升级到 Windows 8 或 Windows Server 2012 (或更高版本) 的 RDP 目标计算机。或者,要禁用 Windows 7 或 Windows Server 2008 R2 中的 RDP 8.0。
更多信息
如果您使用第三方 RDP 组件来登录到 Windows 7 或 Windows Server 2008 R2 时该第三方组件使用相同的 WTS_SOCKADDR 结构,还可能会遇到此问题。在此情况下,请考虑升级操作系统,或在组件提供者联系以获得帮助。

警告:本文已自动翻译

属性

文章 ID:3097467 - 上次审阅时间:10/06/2015 10:02:00 - 修订版本: 2.0

Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Standard, Windows 7 Service Pack 1, Windows 7 Enterprise, Windows 7 Professional, Windows 7 Ultimate

  • kbmt KB3097467 KbMtzh
反馈
="https://c.microsoft.com/ms.js">