RE: Auditing enabled but Logon Failures not showing up

From: Frank Heyne (fh_at_rcs.urz.tu-dresden.de)
Date: 10/25/03

  • Next message: Sean Warnock: "Event Log messages for failed logon attempts" 
    To: focus-ms@securityfocus.com, thenile@ziplip.com
Date: Sat, 25 Oct 2003 10:07:32 +0200

    On 23 Oct 2003, at 20:42, thenile@ziplip.com wrote:

    > Step 3: Joes tries to logon on with wrong password and staright away tries
    > to log on with right password, event 529 show up on DCs.

    I assume even when Joe does log on with the right password first,
    you get a 529 on the DC?

    The reason could be:
    On some earlier session, Joe did make a network connection to the DC.
    This connection used another account, because a local account normally
    can't connect to the DC. Joe did use the option "reconnect again..."
    Now when Joe logs on again, the WS tries to reestablish the connection
    to the network share, but it has no or the wrong password.

    If my assumption is wrong, you really should provide the entire output of
    the 529 event on the DC, as other members on the list already
    suggested.

    Frank Heyne

    ---------------------------------------------------------------------------
    FREE Whitepaper: Better Management for Network Security

    Looking for a better way to manage your IP security?
    Learn how Solsoft can help you:
    - Ensure robust IP security through policy-based management
    - Make firewall, VPN, and NAT rules interoperable across heterogeneous
    networks
    - Quickly respond to network events from a central console

    Download our FREE whitepaper at:
    http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
    ---------------------------------------------------------------------------

  • Next message: Sean Warnock: "Event Log messages for failed logon attempts"

    Relevant Pages

    • RE: Wireless Security
      ... Let's say that "Joe Schmoe" has ... setup a Wi-Fi network for his and his families to use/share a common cable/DSL ... Subject: Wireless Security ...
      (Security-Basics)
    • Re: Floating Computer between domains
      ... As I told you Joe in some else other post, you're in deed Psychic, how the hack did you come up with the conclusion that the networks were disconnected??? ... network, and then allow it to talk to the DC on the other network... ... Would this work allowing the two DC's to communicate with eachother? ... by running Virtual PC or VMWare workstation on the laptop. ...
      (microsoft.public.windows.server.active_directory)
    • RE: Auditing enabled but Logon Failures not showing up
      ... Joe did make a network connection to the DC. ... Better Management for Network Security ...
      (Focus-Microsoft)
    • Re: Cannot access internal resources
      ... | rule to let Netbios traffic from the localhost the internal network ... | on the isa server or is this not needed? ... Hi Joe ... Even if you're in a VPN environnement, ...
      (microsoft.public.isa.vpn)
    • Re: IP address problem
      ... >>>When the laptop is brought home for a wireless network connection to the home ... >> you using cable networking to connect two computers? ... >JOE ...
      (microsoft.public.windowsxp.network_web)