Authentication failures

Discussion in 'Windows Small Business Server' started by Mike Bannister, Feb 3, 2006.

  1. I am running SBS 2003 Sp1 with all XP pro clients. One of the clients has
    suddenly started causing security event 529 as well as a netlogon failure
    event 5722. I have tried deleting machine from domain and rejoining and it
    did not solve issueThe logs shows the following:

    Source Event ID Last Occurrence Total Occurrences
    Security 529 2/3/2006 5:23 AM 26 *
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: JeanHinsley
    Domain: BCCIPDC
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: BCCIJHINSLEY
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address:
    Source Port: 3391

    Source Event ID Last Occurrence Total Occurrences
    NETLOGON 5722 2/3/2006 4:25 AM 6 *

    The session setup from the computer BCCIJHINSLEY failed to authenticate. The
    name(s) of the account(s) referenced in the security database is
    BCCIJHINSLEY$. The following error occurred: Access is denied.

    Thanks in advance for your help...
    Mike Bannister, Feb 3, 2006
    1. Advertisements

  2. Mike Bannister

    AllenM Guest

    You have the answer in the Event Log you posted.
    Check the user account and make sure it is not locked out.
    AllenM, Feb 3, 2006
    1. Advertisements

  3. I wish it were that obvious and easy. Of course I have checked the user
    account. The user logs in every day. The bulk of the events are occuring
    during off hours when the user is not present?
    Mike Bannister, Feb 3, 2006
  4. Mike Bannister

    AllenM Guest

    When you checked was the user account locked out? Can they log onto another
    machine? Has the user recently change their password? Perhaps they were
    still logged in elswhere when they did?
    AllenM, Feb 3, 2006
  5. The user account is not locked out. The user is able to logon to other
    workstations in the domain. No the user has not recently changed password and
    lastly the user never logs in on any other workstation so simultaneous
    multiple client sessions can be ruled out also.
    Mike Bannister, Feb 3, 2006
  6. Mike Bannister

    AllenM Guest

    One more test. Can you or anyone else log onto the domain from the
    workstation? If yes I would be leaning torwards a corrupt profile. Delete
    the old one, make sure you svae her desktop and documents and recreate a new
    one next logon. Delete the profile from right click My
    Computer/Properties/Advance/User Profiles Settings.
    AllenM, Feb 3, 2006
  7. Then it is a machine problem since it is isolated on the desktop.
    Can any other accont login from this desktop?
    if not then else go to end
    Did you change the workstation SID?
    Have you reinstalled / reimaged the desktop?
    if yes then register the desktop as workstation on domain else check login
    restictions on the "Mike Bannister" account, as locations
    end if no one can login from this desktop then the desktop is "banned" chack
    antivirus or any other app that can block access from a workstation
    Gabriel C. Stan, Feb 4, 2006
  8. The user "JeanHinsley" can log in to the domain from the machine
    "BCCIJHINSLEY". The problem isn't that you are unable to login, it is rather,
    why are these errors in the event log every day? It consistenly logs 30 or
    more security event 529's every day in addition to the the 5277 netlogon

    It has not been re-imaged and as far as I know the password has not been
    changed recently. Other users can log in to this workstation under their
    domain accounts as well?

    I checked the application eventlog on the XP client and it has a bunch of
    Userenv eventid 1030 and Userenv eventid 1006 logged?
    Mike Bannister, Feb 4, 2006
  9. Ohh one more thing that I missed, you mentioned that the errors occur after
    hours, do you have nay time restrictions for that specific account?
    Second , more thingy, the user leaves the desktop on during night otherwise
    you would not have any errors, but do he/she logs off?
    If yes then look for crawlers, aka viruses, spyware or anything that may
    jump when idle!
    Gabriel C. Stan, Feb 4, 2006
  10. Yes another user successfully logged in to the machine. I think you're on to
    something on the corrupt profile. To delete profile is this approach ok?
    1. Copy C:\documents and settings\user\my documents
    2. Copy C:\documents and settings\user\desktop
    3. Delete profile
    4. User logs in to machine
    5 copy my documents and desktop back to C:\documents and settings\user\.
    Mike Bannister, Feb 4, 2006
  11. I ran a full system scan using MS anti-spyware tool as well as a full system
    scan with Norton A/V with latest signatures and found nothing?
    Mike Bannister, Feb 6, 2006
  12. Hi Mike,
    Likely a problem with cached credentials. See below:

    Try: Control Panel -> User Accounts -> Advanced tab -> Manage Passwords, and
    removed the user from the list. Reboot.


    Temporarily give the affected user administrative privileges and find the
    stored user name info when logged in as that user. Go to Start -> Control
    Panel -> User Accounts -> Advanced tab -> Manage Passwords. Note that you
    cannot go in to this area without Admin privileges and you cannot see them
    when you are logged in as another user. Once I found and deleted the stored
    credentials, I removed admin privileges and was able to log in normally
    without the authentication problems.

    These solutions are both from - everyone should
    subscribe :).

    Hope it helps.
    Les Connor [SBS Community Member - SBS MVP], Feb 6, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.