Re: Event ID 681
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/10/05
- Next message: Roger Abell [MVP]: "Re: Why Are "Permission Entries" changed"
- Previous message: Steven L Umbach: "Re: 802.1x Widonws 2000 Service Pack 4"
- In reply to: waynebk: "Event ID 681"
- Next in thread: John John: "Re: Event ID 681"
- Reply: John John: "Re: Event ID 681"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 9 Mar 2005 22:06:59 -0600
The error code 3221225572 indicates that a bad username is being used to
authenticate. I would make sure that the user is trying to logon to their
computer with the correct logon name as compared to the logon name that ISA
uses to authenticate users which would be either local user accounts or
domain accounts depending on if a domain is being used or not. --- Steve
"waynebk" <waynebk@discussions.microsoft.com> wrote in message
news:7DB95BD3-2312-41F3-877D-B1C318D4AD28@microsoft.com...
> Recently I began noticing Event ID 681 errors in the security logs of our
> Microsoft ISA Server 2000. These errors are only occuring on 2 specific
> workstations/user accounts. The event log reads as follows:
> -----------------------------------------
> Date: 3/3/2005
> Time: 8:33
> Type: Failure
> User: NT AUTHORITYSYSTEM
> Computer: SERVERNAME
> Source: Security
> Category: Account Logon
> Event ID: 681
>
> Description:
> The logon to account: USERNAME
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: WORKSTATIONNAME
> failed. The error code was: 3221225572
> -----------------------------------------
>
> This error message is being generated atleast every minute, if not 2 or 3
> times a minute and has been occuring since last week sometime. I made
> several
> changes on our ISA server last week so that ISA would log user names
> rather
> than IP addresses. It seems that these error messages began appearing
> after
> that. I find it strange, however, that only 2 users are experiencing this.
> We
> have approximately 50 users total and all other accounts seem fine. I have
> verified that the firewall client is installed and configure properly on
> these 2 workstations. I have also tried renaming these workstations.
>
> The changes made to ISA last week were as follows:
>
>>Open SCPFIRE properties>incoming web requests, check the box ?Ask
>>unauthenticated users for identification?.
>
>>Access policy>Site & Content rules>Change proxy rule to apply to
>>Accounts:Everyone as opposed to any request (eliminates anonymous access).
>
> Any ideas how to eliminate this problem from recurring?
>
> I've also obtained a hotfix from MS, which did not work (KB837142).
>
> Thanks in advance - Wayne
- Next message: Roger Abell [MVP]: "Re: Why Are "Permission Entries" changed"
- Previous message: Steven L Umbach: "Re: 802.1x Widonws 2000 Service Pack 4"
- In reply to: waynebk: "Event ID 681"
- Next in thread: John John: "Re: Event ID 681"
- Reply: John John: "Re: Event ID 681"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
