Security Log - Events 680, 529 and 675 for NT AUTHORITY\SYSTEM every two minutes

Discussion in 'Server Security' started by Stuart, Feb 5, 2006.

  1. Stuart

    Stuart Guest

    Hi. On our SBS 2k3 Premium Server SP1 we are currently getting a large
    number of the Failure Audits for the NT AUTHORITY\SYSTEM. In particular we
    get 680, 529 and 675 in a block roughly every 2 minutes, but can also get
    680 and 529 together or 675 on it's own. So far I haven't been able to work
    out why they have suddenly started occurring. What I've managed to work out
    so far is the fault either started after the ISA 2004 upgrade as part of
    SP1 install or after two recent KB updates, although it may coincidental.

    Unfortunately I'm no further to working out what is causing the entries. If
    anyone has any advice it would be appreciated.

    Thanks,
    Stuart.

    Event 680:
    Logon Attempt By: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon Account: [ServerName]$
    Source Workstation: [ServerName]
    Error Code: 0xC000006A

    Event 529:
    Logon Failure:
    Reason: Unknown user name or bad password
    Username: [ServerName]$
    Logon Type: 3
    Logon Process: NtLmSsp
    Workstation Name: [ServerName]

    Event 675
    Preauthentication failed:
    Username [ServerName]
    User : DOMAIN\[ServerName]
    Service Name: krbtgt/DOMAIN.LOCAL
    Pre-Authentication Type: 0x2
    Failure Code: 0x18
    Client Address: 127.0.0.1
     
    Stuart, Feb 5, 2006
    #1
    1. Advertisements

  2. This is only at the server right?

    Got any of the following?

    1. HP printer monitor software on a workstation
    2. NIC helper software from Intel?

    Uninstall them.

    I had 60,000 failure audits on my DC due to the HP printer monitor software.
     
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP], Feb 5, 2006
    #2
    1. Advertisements

  3. Stuart

    Stuart Guest

    Hi Susan, thanks for the quick response. We don't have an NIC Helper
    software, but there is an HP Photosmart printer (connected via network
    connection) used by one workstation. The printer and driver software has
    been running for quite some time before the errors started occuring but I'll
    have a look into it. Would the HP software on a standalone
    printer/workstation be able to generate authantication errors like this on
    the DC (the software is not installed on the DC itself) ?

    Thanks again,
    Stuart.

     
    Stuart, Feb 5, 2006
    #3
  4. That's exactly what happened in my office.

    A desktop installed printer caused 60,000 Kerb errors on the DC.
     
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP], Feb 5, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.