Re: Missing IP address in Security Audit

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/10/05 

Date: Wed, 9 Mar 2005 21:33:48 -0600

Be sure you check all the logon event entries. I also see a lot of what you
describe but I also do see events logged with the computer IP as shown
below. I admit that Windows account logon auditing is less than friendly as
in the user is always shown as system in the security log table. If you
enable auditing of logon events in domain computers a logon event will also
be recorded on the domain computer when a domain user logs onto it. ---
Steve

Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 3/9/2005
Time: 8:58:13 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER1-2003
Description:
Service Ticket Request:
  User Name: Administrator@Test1.COM
  User Domain: TEST1.COM
  Service Name: SERVER1-2003$
  Service ID: TEST1\SERVER1-2003$
  Ticket Options: 0x40800000
  Ticket Encryption Type: 0x17
  Client Address: 192.168.1.52
  Failure Code: -
  Logon GUID: {831290c7-686c-b3cd-0a2f-16c434e9b3fb}
  Transited Services: -

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

"Ronald" <Ronald@discussions.microsoft.com> wrote in message
news:C13A9AAC-5E97-4A99-A5DD-95282313C6A0@microsoft.com...
> more information, as you can see, I login from a remote PC to the domain,
> but
> the logon shows the client IP as 127.0.0.1
>
> Authentication Ticket Granted:
> User Name: Administrator
> Supplied Realm Name: ALTDOMAIN
> User ID: %{S-1-5-21-1390850448-2335789268-393128203-500}
> Service Name: krbtgt
> Service ID: %{S-1-5-21-1390850448-2335789268-393128203-502}
> Ticket Options: 0x40810010
> Ticket Encryption Type: 0x17
> Pre-Authentication Type: 2
> Client Address: 127.0.0.1
>
> "Ronald" wrote:
>
>> Hi All,
>> not sure if you come across this problem.
>>
>> I have a domain with 8 members servers. Apparently we had turn on
>> security
>> audit for successful logon as well.
>>
>> The problem is user name, server name etc are correctly captured in the
>> event log(Security( but it does not capture the correct IP of the remote
>> host
>> that login to the domain. The IP shown in the log is 127.0.0.1(local host
>> address). Can anyone help and advise any settings that I have miss out?
>>
>> Regards
>> Ronald
>>

Relevant Pages

  • Help needed regarding Office Sharepoint Integration.
    ... I have no luck with Sharepoint Office Integration since WSS ... Service Ticket Granted: ... Client Address: 192.168.0.10 ... Successful Logon: ...
    (microsoft.public.sharepoint.windowsservices)
  • RE: Missing IP address in Security Audit
    ... Authentication Ticket Granted: ... Client Address: 127.0.0.1 ... > audit for successful logon as well. ... > event log(Security(but it does not capture the correct IP of the remote host ...
    (microsoft.public.win2000.security)
  • FormsAuthentication und schlaflose Nächte
    ... FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( ... string sEncTicket = FormsAuthentication.Encrypt; ... Die Rolle im Ticket aufzubewahren scheint mir das Naheliegenste zu sein. ... Auf der Logon Seite finde ich ...
    (microsoft.public.de.german.entwickler.dotnet.asp)
  • Re: Follow-up to Empty 529 Events in Security Log
    ... decrypt the tickets; I'll ask around. ... Logon Failure: ... Caller User Name: - ... ticket can't be decrypted (and therefore the machine performing the ...
    (microsoft.public.windows.server.security)
  • Re: Errors 672, 672, 680, 529 every hour
    ... I changed the logon accounts of all services ... > Event Type: Failure Audit ... > Service Ticket Request: ... > Ticket Encryption Type: - ...
    (microsoft.public.windows.server.sbs)