Events from one domain logged on a different domain's DC
From: Boris Yakubov (borisy_at_PWSOFTWARE.COM)
Date: 12/08/04
- Previous message: http-equiv_at_excite.com: "Address Bar Spoophing for the Pheeshies: IntotheNet Explorer 6"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 7 Dec 2004 16:22:48 -0800 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Ok, here is a real stupid scenario and question if anyone can help explain the behavior.
I have 2 Windows 2000 domains, DomainA and DomainB, NO trust relationship exists between the two domains and both are on different subnets separated by firewalls. The FQDN's are DomainA.ACME.COM and DomainB.ACME.COM respectively. DomainA has success/failure audit enabled for account logon/logof etc, DomainB does not, in fact no auditing is enabled in DomainB. There is a user JDoe in DomainB who logs on and off a Windows XP Pro SP2 workstation every day (machine name JDoe-PC), there is no account for JDoe or JDoe-PC in DomainA. Every now and again with no particular consistency, or at least not that I have been able to identify yet, domain controllers in DomainA record in the security log failure 'logon/logoff' event 681 with the following message:
The logon to account: JDoe
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: JDoe-PC
failed. The error code was: 3221225572
And an event 529 as follows:
Logon Failure:
Reason: Unknown user name or bad password
User Name: JDoe
Domain: DomainB
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: JDoe-PC
Both events are logged at the same time. No connection was ever established (even temporary with alternate credentials) from JDoe-PC to any of the devices in DomainA.
This article http://support.microsoft.com/?kbid=837142 describes the exact event id 681 and message and has a 'hotfix', however, makes no mention of the scenario I'm seeing i.e. the events get recorded on a DC in a completely different domain. I have not yet obtained the hotfix, figured first should try to "ask the audience" and if I understand correctly this was fixed in SP2, which I've already tried to re-apply, but to no avail. Please let me know if anyone has seen anything like this before. Thank you.
Regards,
Boris
-- Editor's Note: The 43rd Most Powerful Person in Networking says... Register today to take the TruSecure ICSA exam by 12/31/04 at <http://www.2test.com> , use promo code "CT1204" and you will pay just $221.25 US Dollars for domestic exam delivery and $296.25 US Dollars for international delivery. Visit <https://ticsa.trusecure.com> for complete details regarding the TICSA credential and to take the free sample exam. --
- Previous message: http-equiv_at_excite.com: "Address Bar Spoophing for the Pheeshies: IntotheNet Explorer 6"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
