Hello all--
We have a DC running Windows Server 2003 Standard. This same box also runs
Exchange 2003. We do have another DC, so this particular box is kind of a
backup.
I'm getting multiple 529 events for the inetinfo process, which is running
as NT AUTHORITY\SYSTEM. I've tried resetting the machine account password
--Here's the body of one of the events:--
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: ES1
Caller User Name: ES1$
Caller Domain: DOMAIN1
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1452
Transited Services: -
Source Network Address: -
Source Port: -
--end event body--
--This is the email I get from GFI's SELM:--
Event ID : 529
Event Importance : Critical importance event
Date & Time : 10/27/2006 - 12:26:10 PM
Rule Triggered : Logon Failure : ANY reason (inform on any failed logon
event)
Computer : ES1
Event Log : Security
Event Source : Security
Event Category : Logon/Logoff
Event Type : Failure Audit
S.E.L.M. Event ID : 1161374824_000000003509097
User Name : NT AUTHORITY\SYSTEM
Operating System : Windows 2003 Domain Controller
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain: N/A
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: ES1
Caller User Name: ES1$
Caller Domain: DOMAIN1
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1452
Transited Services: -
Source Network Address: -
Source Port: -
More Information:
User from domain N/A tried to logon (Type 3) from the machine ES1 to the
machine ES1 and specified either a bad username or bad password.
Possible causes for the generation of this event are
(1) An authorized user is entering wrong password
(2) A user is entering a wrong username
(3) If this event was preceded by a large number of failed logon attempts,
then it can be the case that an unauthorized user is trying to gain access to
that account via a brute force password guessing operation.
(4) There is a persistent network connection with an invalid password.
(5) There is a service using a user account with an invalid password.
(6) Trust relationship has been broken.
(7) When logon screen appears after the screensaver was interrupted, but
user does't logon.
(8) A user of Microsoft Windows 95 or Microsoft Windows 98 attempts to log
on to a Windows 2000 based domain where user's account is locked, but the
FSMO has the account unlocked.
(9) Remote automatic logon operation to a computer that is running Terminal
Services with a long user name or password is not supported.
(10) This event may show up if the server is configured to accept NTLMv2 only
(11) The event occurrs on Windows XP when the user logs off.
Logon Type Legend:
2 - Interactive
3 - Network
4 - Batch
5 - Service
6 - Proxy
7 - Unlock Workstation
8 - Network logon using a clear text password
9 - Impersonated logon
Logon Process Legend:
- Advapi (triggered by a call to LogonUser; LogonUser calls
LsaLogonUser, and one of the
arguments to LsaLogonUser, OriginName, identifies the origin of the logon
attempt)
- User32 (normal Windows 2000 logon using WinLogon)
- SCMgr (Service Control Manager started a service)
- KsecDD (network connections to the SMB server-for example, when you
use a NET USE
command)
- Kerberos (the Kerberos Security Support Provider [SSP])
- NtlmSsp (the NTLM SSP)
- Seclogon (Secondary Logon-that is, the RunAs command)
- IIS (IIS performed the logon; generated when logging on the
IUSR_machinename account
or when using Digest or Basic authentication)
Authentication Package Legend:
- Negotiate
- NTLM
- Kerberos (Not Supported by Windows NT)
- MSV1_0 (Not Supported by Windows ME/98/95)
- MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 (Not Supported by Windows ME/98/95)
GFI Knowledge Base article:
http://kbase.gfi.com/showarticle.asp?id=KBID001723
--end email--
As I said, I've tried resetting the machine passwords by following the
directions here:
http://support.microsoft.com/default...b;EN-US;325850
(How to use Netdom.exe to reset machine account passwords of a Windows
Server 2003 domain controller)
I searched for instructions on how to reset the nt authority\system
account's password, but from what I've read it either doesn't have one or the
processes that run under it don't need a password.
Any thoughts?
Thanks!
Joe
Similar Threads
Linear Mode
