Security log event ID 529 & System log event ID 10004

Discussion in 'Windows Small Business Server' started by JeffD, Nov 3, 2005.

  1. JeffD

    JeffD Guest

    The security log on my customer's SBS 2003 server is getting a 529 error
    thousands of times per day (some are generated every few seconds). This
    began when all user passwords were expired in order to force an immediate
    password change. There are no services starting with this valid user name, in
    fact the user listed in the top section of the error details screen is NT
    Authority\System. See falure audit details below.

    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: <valid active user name>
    Domain: <my domain>
    Logon Type: 4
    Logon Process: DCOMSCM
    Authentication Package: Negotiate
    Workstation Name: SBS1
    Caller User Name: SBS1$
    Caller Domain: FCPC

    I believe DCOMSCM is a SQL tool, but I'm not sure what application is
    calling it. Additionally, the System log shows a corresponding error 10004 at
    the same time. See below for details.

    DCOM got error "Logon failure: unknown user name or bad password. " and was
    unable to logon .\<valid user name> in order to run the server:
    {92CF31D6-E904-4EE8-AAC9-E1A7719056E9}

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

    If I click on the futher information link I get this info:
    Product: Windows Operating System
    ID: 10004
    Source: DCOM
    Version: 5.0
    Component: System Event Log
    Symbolic Name: EVENT_RPCSS_RUNAS_CANT_LOGIN
    Message: DCOM got error "%%%1" and was unable to logon %2\\%3 in order to
    run the server:
    %4

    I've not been able to find the service or application that is using the user
    name's credentials so that I can change it to the new password.

    How do I go about finding it?
     
    JeffD, Nov 3, 2005
    #1
    1. Advertisements

  2. JeffD

    Crina Li Guest

    Hi Jeff,

    Thank you for posting in SBS newsgroup.

    Based on my research, I find the {92CF31D6-E904-4EE8-AAC9-E1A7719056E9} is
    related Red Earth Software's application called Policy Patrol Enterprise
    3.0. You can search the registry for the GUID as in the event and found
    that it is pointing to the PP30_data server software i.e. Policy Patrol
    Software.

    You can use DCOMCNFG and open the properties of PP30_data server and went
    to the Identity tab and reset the password for administrator account.

    If the problem still persists, please perform a clean boot on the client as
    following:

    1. Click Start, click Run, and then in the Open box, type "MSCONFIG"
    (without the quotation marks). Click OK.
    2. In the System Configuration Utility (MSConfig) window, click to select
    the Selective Startup button.
    3. Click to clear the check mark from the "Load startup items" below
    Selective Startup.
    4. Click the Services tab, click to check the "Hide All Microsoft Services"
    box, and remove all the check marks from the remained Non-Microsoft
    Services. Please note that the Exchange services could be marked as
    non-Microsoft. Please do not disable those services.
    5. Click OK to close the MSConfig window. Click Yes when you are asked to
    restart your computer in order to enable the changes.
    6. After restarting, please check whether this issue will reoccur.

    Hope it helps and I look forward to hearing from you.

    Best regards,

    Crina Li (MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
    | Thread-Topic: Security log event ID 529 & System log event ID 10004
    || From: "=?Utf-8?B?SmVmZkQ=?=" <>
    | Subject: Security log event ID 529 & System log event ID 10004
    | Date: Thu, 3 Nov 2005 10:09:01 -0800
    | | Newsgroups: microsoft.public.windows.server.sbs
    | |
    | The security log on my customer's SBS 2003 server is getting a 529 error
    | thousands of times per day (some are generated every few seconds). This
    | began when all user passwords were expired in order to force an immediate
    | password change. There are no services starting with this valid user
    name, in
    | fact the user listed in the top section of the error details screen is NT
    | Authority\System. See falure audit details below.
    |
    | Logon Failure:
    | Reason: Unknown user name or bad password
    | User Name: <valid active user name>
    | Domain: <my domain>
    | Logon Type: 4
    | Logon Process: DCOMSCM
    | Authentication Package: Negotiate
    | Workstation Name: SBS1
    | Caller User Name: SBS1$
    | Caller Domain: FCPC
    |
    | I believe DCOMSCM is a SQL tool, but I'm not sure what application is
    | calling it. Additionally, the System log shows a corresponding error
    10004 at
    | the same time. See below for details.
    |
    | DCOM got error "Logon failure: unknown user name or bad password. " and
    was
    | unable to logon .\<valid user name> in order to run the server:
    | {92CF31D6-E904-4EE8-AAC9-E1A7719056E9}
    |
    | For more information, see Help and Support Center at
    | http://go.microsoft.com/fwlink/events.asp.
    |
    | If I click on the futher information link I get this info:
    | Product: Windows Operating System
    | ID: 10004
    | Source: DCOM
    | Version: 5.0
    | Component: System Event Log
    | Symbolic Name: EVENT_RPCSS_RUNAS_CANT_LOGIN
    | Message: DCOM got error "%%%1" and was unable to logon %2\\%3 in order to
    | run the server:
    | %4
    |
    | I've not been able to find the service or application that is using the
    user
    | name's credentials so that I can change it to the new password.
    |
    | How do I go about finding it?
    |
    | --
    | Any help would be greatly appreciated.
    | Jeff D
    |
     
    Crina Li, Nov 4, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.