Re: Why are logons "failing" and how do I get rid of...
From: David Johnston (davidj@NO.SPAM.themembersgroup.com)
Date: 10/24/02
- Next message: David Johnston: "What to use for activity reporting?"
- Previous message: jj: "Re: Application Popup Messenger Service SPAM"
- In reply to: Henry Voight [MS]: "Re: Why are logons "failing" and how do I get rid of..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Johnston" <davidj@NO.SPAM.themembersgroup.com> Date: Wed, 23 Oct 2002 18:41:33 -0500
I am running mixed mode and have set up the time service...
"Henry Voight [MS]" <henryv@online.microsoft.com> wrote in message
news:#508qwacCHA.2468@tkmsftngp10...
> The errors resolve around Kerberos. Are you running in native mode or
mixed
> mode? If you are running native mode, have you set up the time service?
net
> time /setsntp:
>
> "Russ" <rwsinclair@mcpmail.com> wrote in message
> news:21dd01c27140$dacb5700$2ae2c90a@phx.gbl...
> > This seems right, but I can't swear to it...
> >
> > The SYSTEM account does not have a password. You can't
> > logon with it as a user. But it is a busy account, for
> > example it will open a connection to another machine
> > before you, the user, put in your information to see if
> > you are an authorized user.
> >
> > So maybe what this audit policy does is count those
> > attempts by SYSTEM as logon attempts, and since the
> > account does not enter anything as it "logs on," it is
> > considered a failure by Kerberos.
> >
> > >-----Original Message-----
> > >In an attempt to better monitor unauthorized access to
> > our network, in our
> > >"default domain controllers policy", I activated 2 local
> > audit policies
> > >("Audit account logon events" and "Audit logon events")
> > and set both to
> > >"Failure".
> > >
> > >The following are now being logged in great numbers into
> > the DC's Security
> > >Event log. I have reviewed MS02-001 (Q289243) and my
> > file versions indicate
> > >I am current. I am at SP3.
> > >
> > >Any recommendations/suggestions are appreciated!
> > >
> > >David Johnston
> > >
> > >
> > >======================================================
> > >Event Type: Failure Audit
> > >Event Source: Security
> > >Event Category: Logon/Logoff
> > >Event ID: 537
> > >Date: 10/9/2002
> > >Time: 12:28:14 PM
> > >User: NT AUTHORITY\SYSTEM
> > >Computer: DC1
> > >Description:
> > >Logon Failure:
> > > Reason: An unexpected error occurred during logon
> > > User Name:
> > > Domain:
> > > Logon Type: 3
> > > Logon Process: Kerberos
> > > Authentication Package: Kerberos
> > > Workstation Name: -
> > >======================================================
> > >Event Type: Failure Audit
> > >Event Source: Security
> > >Event Category: Account Logon
> > >Event ID: 677
> > >Date: 10/9/2002
> > >Time: 12:34:11 PM
> > >User: NT AUTHORITY\SYSTEM
> > >Computer: DC1
> > >Description:
> > >Service Ticket Request Failed:
> > > User Name:
> > > User Domain:
> > > Service Name: krbtgt/TMG.NET
> > > Ticket Options: 0x2
> > > Failure Code: 0x20
> > > Client Address: 192.168.7.2
> > > ======================================================
> > >
> > >
> > >
> > >.
> > >
>
>
- Next message: David Johnston: "What to use for activity reporting?"
- Previous message: jj: "Re: Application Popup Messenger Service SPAM"
- In reply to: Henry Voight [MS]: "Re: Why are logons "failing" and how do I get rid of..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
