Hello everyone,
I’m stumped on this on.
Following Problem: LSASS is eating all the CPU it can, as a result everything on the Server is generally slow and always pegged at 100% CPU.
What I’ve checked so far:
I’ve checked the Events in the Security Log, there are MILLIONS of Logon / Logoff Events, from client computer-accounts connecting to the SCCM, at a rate of roughly 1000 new entries per second.
I don’t know what exactly the computer accounts are authenticating for. I attached an event; they all look that way.
I followed the Correlation Activity ID and found some more Event Log Entries:
It looks like some Sort of TLS issue.
Searching on the internet, I found some people with similar symptoms, but not exactly the same.
Following one lead, I checked the BGBServer.log, which is also rapidly filling with errors, though not as fast as the event log.
I included one of the messages from the BGBServer.log below, sorry it’s in German.
The last line reads, "local Security Authority (LSA) not reachable", which seems to fit the general Problem.
One post with a similar issue mentions the following Microsoft Documentation.
I checked all settings according to this Microsoft Doc , and it all checks out.
The Clients are all Windows 10 and 11, should therefore support TLS in the required Version.
Other Information about the environment:
The SCCM Server was recently updated from 2016 to 2019 to 2022.
The SQL was also upgraded to 2022 and migrated from a remote server to the local SCCM.
It seems the issue started sometime after all that, but I can’t clearly link it to any specific action, as there is currently no issue with how the SCCM functions.
Besides the slowdown due to the high CPU load, everything seems to work (Apps, Updates, TS, PXE, Reporting...)
I honestly have never seen anything similar on any other SCCM.
I really hope someone here can help!
I’m stumped on this on.
Following Problem: LSASS is eating all the CPU it can, as a result everything on the Server is generally slow and always pegged at 100% CPU.
What I’ve checked so far:
I’ve checked the Events in the Security Log, there are MILLIONS of Logon / Logoff Events, from client computer-accounts connecting to the SCCM, at a rate of roughly 1000 new entries per second.
I don’t know what exactly the computer accounts are authenticating for. I attached an event; they all look that way.
XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2025-03-11T09:57:36.074502800Z" />
<EventRecordID>1055943222</EventRecordID>
<Correlation ActivityID="{A4357DF1-9260-000B-2E7E-XXXXXX}" />
<Execution ProcessID="956" ThreadID="23576" />
<Channel>Security</Channel>
<Computer>SCCM.FQDN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-3211964582-344376018-1599791471-97054</Data>
<Data Name="TargetUserName">ClientComputeraccount$</Data>
<Data Name="TargetDomainName">DOMAIN</Data>
<Data Name="TargetLogonId">0x27171e1e</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Kerberos</Data>
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="WorkstationName">-</Data>
<Data Name="LogonGuid">{E2D424ED-A182-315A-CF65-6844F4947BB4}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">123.45.67.176</Data>
<Data Name="IpPort">58815</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1843</Data>
</EventData>
</Event>I followed the Correlation Activity ID and found some more Event Log Entries:
XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Schannel" Guid="{1f678132-5938-4686-9fdc-c8ff68f15c85}" />
<EventID>36874</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2025-03-11T08:48:27.1585852Z" />
<EventRecordID>1493466</EventRecordID>
<Correlation ActivityID="{a4357df1-9260-000b-2e7e-35a46092db01}" />
<Execution ProcessID="956" ThreadID="7100" />
<Channel>System</Channel>
<Computer>SCCM.FQDN</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="CallerProcessId">4</Data>
<Data Name="CallerProcessImageName">SYSTEM</Data>
<Data Name="Protocol">TLS 1.2</Data>
</EventData>
</Event>It looks like some Sort of TLS issue.
Searching on the internet, I found some people with similar symptoms, but not exactly the same.
Following one lead, I checked the BGBServer.log, which is also rapidly filling with errors, though not as fast as the event log.
I included one of the messages from the BGBServer.log below, sorry it’s in German.
Code:
ERROR: Authentication failed - closing the connection. Exception: System.Security.Authentication.AuthenticationException: Fehler bei SSPI-Aufruf, siehe interne Ausnahme. ---> System.ComponentModel.Win32Exception: Die lokale Sicherheitsautorität (LSA) ist nicht erreichbar~~ --- Ende der internen Ausnahmestapelüberwachung ---~~ bei System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)~~ bei System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)~~ bei System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)~~ bei System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)~~ bei System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)~~ bei System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)~~ bei System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)~~ bei System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest, Boolean renegotiation)~~ bei System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)~~ bei Microsoft.ConfigurationManager.BgbServerChannel.BgbTcpListener.ProcessClient(Object state) InnerException: Die lokale Sicherheitsautorität (LSA) ist nicht erreichbarThe last line reads, "local Security Authority (LSA) not reachable", which seems to fit the general Problem.
One post with a similar issue mentions the following Microsoft Documentation.
I checked all settings according to this Microsoft Doc , and it all checks out.
The Clients are all Windows 10 and 11, should therefore support TLS in the required Version.
Other Information about the environment:
The SCCM Server was recently updated from 2016 to 2019 to 2022.
The SQL was also upgraded to 2022 and migrated from a remote server to the local SCCM.
It seems the issue started sometime after all that, but I can’t clearly link it to any specific action, as there is currently no issue with how the SCCM functions.
Besides the slowdown due to the high CPU load, everything seems to work (Apps, Updates, TS, PXE, Reporting...)
I honestly have never seen anything similar on any other SCCM.
I really hope someone here can help!
