Hi. On our SBS 2k3 Premium Server SP1 we are currently getting a large number of the Failure Audits for the NT AUTHORITY\SYSTEM. In particular we get 680, 529 and 675 in a block roughly every 2 minutes, but can also get 680 and 529 together or 675 on it's own. So far I haven't been able to work out why they have suddenly started occurring. What I've managed to work out so far is the fault either started after the ISA 2004 upgrade as part of SP1 install or after two recent KB updates, although it may coincidental. Unfortunately I'm no further to working out what is causing the entries. If anyone has any advice it would be appreciated. Thanks, Stuart. Event 680: Logon Attempt By: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: [ServerName]$ Source Workstation: [ServerName] Error Code: 0xC000006A Event 529: Logon Failure: Reason: Unknown user name or bad password Username: [ServerName]$ Logon Type: 3 Logon Process: NtLmSsp Workstation Name: [ServerName] Event 675 Preauthentication failed: Username [ServerName] User : DOMAIN\[ServerName] Service Name: krbtgt/DOMAIN.LOCAL Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 127.0.0.1
This is only at the server right? Got any of the following? 1. HP printer monitor software on a workstation 2. NIC helper software from Intel? Uninstall them. I had 60,000 failure audits on my DC due to the HP printer monitor software.
Hi Susan, thanks for the quick response. We don't have an NIC Helper software, but there is an HP Photosmart printer (connected via network connection) used by one workstation. The printer and driver software has been running for quite some time before the errors started occuring but I'll have a look into it. Would the HP software on a standalone printer/workstation be able to generate authantication errors like this on the DC (the software is not installed on the DC itself) ? Thanks again, Stuart.
That's exactly what happened in my office. A desktop installed printer caused 60,000 Kerb errors on the DC.
