Here is the events I get - is there a bell ringing somewhere?
And please notice the time in these events. The server is rather busy as you
can see...
Am I right if it seems that Kerberos has something to do with this? Is that
something I can turn of? At least for testing? Any help is appreciated!
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 576
Date: 12.02.2007
Time: 19:15:03
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Special privileges assigned to new logon:
User Name: SERVER$
Domain: DOMAIN
Logon ID: (0x0,0x3D63A2F)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeEnableDelegationPrivilege
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
****
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 12.02.2007
Time: 19:15:03
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Successful Network Logon:
User Name: SERVER$
Domain: DOMAIN
Logon ID: (0x0,0x3D63A2F)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {c91a5c93-09d7-3aa6-f4d1-41424b40d516}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.5
Source Port: 11028
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
****
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 12.02.2007
Time: 19:15:03
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
User Logoff:
User Name: SERVER$
Domain: DOMAIN
Logon ID: (0x0,0x3D63A2F)
Logon Type: 3
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
****
"David" wrote:
> Not uncommon depending on your audit logs.
>
> This event indicates a user logged off. The corresponding logon event (528)
> can be found by comparing the <logon id> field.
> A logon id (logon identifier or LUID) identifies a logon session. A logon ID
> is valid until the user logs off. A logon ID is unique while the computer is
> running; no other logon session will have the same logon ID. However, the set
> of possible logon IDs is reset when the computer starts up.
>
> A logon id has the following format (0x0, 0x4C37A2) and it is unique for
> each logon/logoff process.
>
> Events that generate a logoff and their corresponding logon type:
> - Interactive logoff will generate logon type 2
> - Network logoff will generate logon type 3
> - Net use disconnection will generate logon type 3
> - Autodisconnect will generate logon type 3
>
> Check your audit logs for the domain and server, also, you are probally
> getting so many because it sounds like you may be dropping connection for
> unkown reasons which could cause some reauthentication. You for sure want to
> investigate that.
>
> Hope this helps.
>
> "Oddgeir" wrote:
>
> > Hi.
> > Our server (win2003 sp1 + Exch2003 sp1), serving about 15 clients is logging
> > logon/logoff events too often. The event log says:
> > Event ID: 538
> > Source : Security
> > Category: Logon/Logoff
> > User Logoff:
> > User Name: ourSERV$
> > Domain: ourDomain
> > Logon ID: (0x1,0x2A9EB8F)
> > Logon Type: 3
> >
> > Logon type 3 is a network logon/logoff. I find it weird that the server, if
> > that's UserName =servername$ means, keeps logging off and back on. Does
> > anyone know?
> >
> > Another thing that happens is that my clients are disconnected and
> > reconnected quite often. This results in a delay for the user. In the
> > security log I can see that the users has been logged off and on again.
> >
> > The users say it happens while on the wireless network, and when they're
> > connected to the server by VPN.
> >
> > Any suggestions out there?
Linear Mode
