RE: Auditing enabled but Logon Failures not showing up

From: dave kleiman (dave_at_netmedic.net)
Date: 10/23/03

  • Next message: thenile_at_ziplip.com: "RE: Auditing enabled but Logon Failures not showing up" 
    To: <thenile@ziplip.com>, <focus-ms@securityfocus.com>
Date: Wed, 22 Oct 2003 22:18:53 -0400

    Thenile,

    Let me make sure I have this correct.

    1. Domain = NT4 SP6a.
    2. Client = W2K SP4

    Scenario 1:

    Client tries to logon to domain.

    1. Successful logon shows in DC's event log
    2. Unsuccessful logon does NOT show in DC's event log.

    Scenario 2.

    Client tries to logon to local workstation.

    1. Successful and Unsuccessful logons show in DC's event log.

    Question 1.

    Does the user account for the local machine and Domain the same User Id?
    (i.e. "user1" is a local account and Domain account)

    Question 2.

    What are the specific Event ID's you are seeing for failure and success.

    Try setting cached logons to 0 on the client and see if we get the same
    results.

    Dave

     
    _____________________
    Dave Kleiman
    secure@netmedic.net
    www.SecurityBreachResponse.com

    "High achievement always takes place in the framework of high expectation."
    Jack Kinder

     

    -----Original Message-----
    From: thenile@ziplip.com [mailto:thenile@ziplip.com]
    Sent: Wednesday, October 22, 2003 20:22
    To: dave kleiman; focus-ms@securityfocus.com
    Subject: RE: Auditing enabled but Logon Failures not showing up

    Thanks for your reply Dave,

    I did the search on microsoft and could not find much info to my specific
    problem, i did find links with regards to different event problems but not
    to mine.

    In google , there was a ssimilar problem but there was no mention of a
    solution:
    http://groups.google.com.au/groups?hl=en&lr=&ie=UTF-8&oe=utf-8&newwindow=1&t
    hreadm=3BF5AFE5.C2B7A7CC%40columbiaSPAM.SUCKSedu&rnum=17&prev=/groups%3Fq%3D
    Security%2BEvent%2BUnsuccessful%2BLogin%2BAttempt%26start%3D10%26hl%3Den%26l
    r%3D%26ie%3DUTF-8%26oe%3Dutf-8%26newwindow%3D1%26selm%3D3BF5AFE5.C2B7A7CC%25
    40columbiaSPAM.SUCKSedu%26rnum%3D17

    Anyone out there can help ?

    thenile

    > -----Original Message-----
    > From: dave kleiman [mailto:dave@netmedic.net]
    > Sent: Tuesday, October 21, 2003, 2:32 PM
    > To: thenile@ziplip.com, focus-ms@securityfocus.com
    > Subject: RE: Auditing enabled but Logon Failures not showing up
    >
    > Thenile,
    >
    >
    > Try looking it up with the words "Security Event Unsuccessful Logon
    > Attempt" in the advanced search on MSFT support, it should yield what
    > you are looking for. That would be the proper terminology in MSFT's
    > world. Make sure you set it to ALL OF THE WORDS entered, or you might
    > end up with a google of hits.
    >
    > If you do not find the answer reply back and maybe I can find
    > something for you.
    >
    >
    >
    > _____________________
    > Dave Kleiman
    > secure@netmedic.net
    > www.SecurityBreachResponse.com
    >
    > "High achievement always takes place in the framework of high
    > expectation." Jack Kinder
    >
    >
    >
    >
    >
    > -----Original Message-----
    > From: thenile@ziplip.com [mailto:thenile@ziplip.com]
    > Sent: Monday, October 20, 2003 22:23
    > To: focus-ms@securityfocus.com
    > Subject: Auditing enabled but Logon Failures not showing up
    >
    >
    > Hi,
    >
    > Two NT 4 (SP 6 a) domains with a trust relationship from one to the
    > other. If a user (running win 2k SP4 with latest updates) tries to
    > logon to either of the domains with a wrong password, no failure
    > events show up on the PDC or BDC.
    >
    > Successful logons/log offs do show up in the event logs.
    > However if a user tries to logon to his specific machine (Choose this
    > machine form the drop down menu) with a wrong password a failure event
    shows
    > up in the PDC logs.
    >
    > Auditing is enabled on both domains and log on and log offs success
    > and failures are both ticked in the auditing section on both domains.
    >
    >
    > I am not sure if this started happening recently or it has always been
    > like this.
    >
    > Any ideas would be greatly appreciated.
    >
    > Thank you.
    >
    > thenile
    >
    >
    >
    >
    > ----------------------------------------------------------------------
    > -----
    > FREE Whitepaper: Better Management for Network Security
    >
    > Looking for a better way to manage your IP security?
    > Learn how Solsoft can help you:
    > - Ensure robust IP security through policy-based management
    > - Make firewall, VPN, and NAT rules interoperable across heterogeneous
    > networks
    > - Quickly respond to network events from a central console
    >
    > Download our FREE whitepaper at:
    > http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
    > ----------------------------------------------------------------------
    > -----
    >
    >
    >
    >
    >
    > ----------------------------------------------------------------------
    > -----
    > FREE Whitepaper: Better Management for Network Security
    >
    > Looking for a better way to manage your IP security?
    > Learn how Solsoft can help you:
    > - Ensure robust IP security through policy-based management
    > - Make firewall, VPN, and NAT rules interoperable across heterogeneous
    > networks
    > - Quickly respond to network events from a central console
    >
    > Download our FREE whitepaper at:
    > http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
    > ----------------------------------------------------------------------
    > -----
    >

    ---------------------------------------------------------------------------
    FREE Whitepaper: Better Management for Network Security

    Looking for a better way to manage your IP security?
    Learn how Solsoft can help you:
    - Ensure robust IP security through policy-based management
    - Make firewall, VPN, and NAT rules interoperable across heterogeneous
    networks
    - Quickly respond to network events from a central console

    Download our FREE whitepaper at:
    http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
    ---------------------------------------------------------------------------

  • Next message: thenile_at_ziplip.com: "RE: Auditing enabled but Logon Failures not showing up"

    Relevant Pages

    • Re: SBS2003 SP1 outgoing pptp error 628
      ... I just captured and looked at the packets in successful and unsuccessful ... > I can pptp from outside into the server network just fine. ... There is no hardware router in this network. ... > Successful Network Logon: ...
      (microsoft.public.isa.vpn)
    • Re: Security event id 537
      ... Logon Failure. ... From the detail in the event log, the error code 0x80090308 can translated ... You can get the network monitor from the following link and install ...
      (microsoft.public.windows.server.sbs)
    • Re: obscure logon events?
      ... These don't explain reason of these event entries. ... Logon even: 540 A user successfully logged on to a network. ... You can safely ignore this event log and it should ...
      (microsoft.public.windows.server.sbs)
    • Re: Preparing Network Connections... forever
      ... Windows IP Configuration ... Connection-specific DNS Suffix. ... "Replication Services" event log contained the same error as originally posted. ... The failure code from authentication protocol Kerberos was "There are currently no logon servers ...
      (microsoft.public.windows.server.active_directory)
    • Re: Failure Audit 537 in Event Log
      ... You get the event 537 in SBS event log. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... | Logon Failure: ...
      (microsoft.public.windows.server.sbs)