Re: Unexplained Failed Logins

It is going to be pretty hard to get much further with the
available info (i.e. evt log examples). Since it apparently
negotiated Kerberos authentication we could assume that
the originator was recognized as part of the domain (except
I am a bit thrown off by the stated client IP - it is almost as
if the DC is attempting a login via a delegation, plus I have
been noticing increase "probes" which seem to skirt negotiation
and directly attempt Kerberos authN on network exposed
machines/interfaces).

As I said, the evt msgs you showed do not fit a FrontPage
authentication which would show IIS and use NTLM.

Are you auditing login success so that you could see if
there is a subsequent successful login?
There are ways to make Kerberos logging more verbose,
but that is not something one would want to leave enabled.

Is there any type of VPN capability enabled?

Also, you may want to post to the windows.server.sbs
newsgroup as people there are more deeply familiar
with the exposures SBS has to the external network.

Roger

"James B" <JamesB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1FC5A304-39F7-4020-849F-4A47E97F3D0E@xxxxxxxxxxxxxxxx
Roger,
Thanks for the reply. I checked the System & Application logs and I could
see no Terminal Services activity at all (I have logging for Terminal
Services enabled). I also checked the ISA logs and there was no irregular
IP
activity for hours before or after these times. We don't have the Front
Page
options enabled on our server.

Since I've been able to rule out employees, intruders, ghosts and mice, I
can only imagine that there was some sort of external activity though I
can't
find it in any log files. During that time period there was one user
logged
into OWA (she forgot to shut down her home PC and OWA polled the server
every
2 minutes).

Can you suggest any other places/logs to check for external activity? I'm
not thrilled with the thought that someone got as far as they did.


Thanks again,
James


"Roger Abell [MVP]" wrote:

Local login does not allow happen only via the console/keyboard.
For a couple examples, IIRC with W2k a terminal services login is
a local login, or will all version of OS an authentication via Front
Page for web authoring is a local login (although the event log entries
you post would not fit the FrontPage pattern).
So, you may want to examine the external network exposures.


.

Relevant Pages

  • Re: Solaris 10 ssh logins + w2k3 AD native mode
    ... SEAM, Kerberos). ... Unix system to map from the AD user attributes ... a Unix login session. ... Does putty support GSSAPI authentication for SSH and can it ...
    (comp.protocols.kerberos)
  • RE: Changing user account authentication method in AD
    ... users always authenticate using NTLM when they login to the domain. ... checked the security log and all other users authenticate using Kerberos. ... Kerberos is the default authentication package and the only ...
    (microsoft.public.windows.server.sbs)
  • RHN satellite problem!
    ... I have users in more than one kerberos realm and am having trouble ... enabling PAM authentication for all of them. ... Users in the default realm can login to Satellite but others cannot. ...
    (RedHat)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... until a user logon event. ... the Netdiag utility will show the Kerberos error in this scenario ... On these machines I ... me a plausible starting point to solve my Kerberos authentication problem. ...
    (microsoft.public.windows.server.security)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... I just wanted to let you know there is a known bug in netdiag that reports ... >> mean that kerberos authentication is not being used. ... Three machines are workstations and three are ...
    (microsoft.public.windows.server.security)