Re: Unexplained Failed Logins


"James B" <JamesB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:47C55EAD-3A8E-4E3A-A344-9B1888E288AC@xxxxxxxxxxxxxxxx
Roger,
We do audit successful logins. There were no successful user logins for
hours before or after these failures. The things that bookended these
failures were a backup job at 11:58 pm and a NAV scan at 5:00 am.

We do have a VPN. I checked the log file and didn't see anything near
that
time, though that file only shows successful connections.

Do you have any other recommendations regarding what files/logs I should
check?


No, I do not. Again, you seem to have looked most places
that may leave trace, so I would recommend that you ask in
the SBS newsgroup in order to key in on peculiarities of
that bundle.

Roger


"Roger Abell [MVP]" wrote:

It is going to be pretty hard to get much further with the
available info (i.e. evt log examples). Since it apparently
negotiated Kerberos authentication we could assume that
the originator was recognized as part of the domain (except
I am a bit thrown off by the stated client IP - it is almost as
if the DC is attempting a login via a delegation, plus I have
been noticing increase "probes" which seem to skirt negotiation
and directly attempt Kerberos authN on network exposed
machines/interfaces).

As I said, the evt msgs you showed do not fit a FrontPage
authentication which would show IIS and use NTLM.

Are you auditing login success so that you could see if
there is a subsequent successful login?
There are ways to make Kerberos logging more verbose,
but that is not something one would want to leave enabled.

Is there any type of VPN capability enabled?

Also, you may want to post to the windows.server.sbs
newsgroup as people there are more deeply familiar
with the exposures SBS has to the external network.

Roger


.

Relevant Pages

  • Re: Unexplained Failed Logins
    ... We do audit successful logins. ... failures were a backup job at 11:58 pm and a NAV scan at 5:00 am. ... if the DC is attempting a login via a delegation, ... and directly attempt Kerberos authN on network exposed ...
    (microsoft.public.win2000.security)
  • Re: Closing one window and opening another
    ... successful login' event and wrap that around login in a try/catch ... I think you can use a method, which performs the login, and returns a boolean (means: returns whether the login was successful) ... where an ActionListener listens on ActionEvents. ... return loginSuccessful; ...
    (comp.lang.java.programmer)
  • Re: Profile cannot be loaded
    ... Did you check that your DNS configuration is correct, only your own internal DNS configured and no external? ... some of the users get the errors stated below when they login ... Even after one successful ... network administrator. ...
    (microsoft.public.win2000.general)
  • WebBrowser Control Programming Question
    ... I use the function below to open a new webbrowser and login to the page. ... I'm trying to see if the login is successful and if so i go to the next ... Public Function LoginToIE(ByRef IE As Object, URL As String, UserName As ... String, Password As String, Pause As Long) As Boolean ...
    (microsoft.public.inetsdk.programming.webbrowser_ctl)
  • Re: Account Logon Time Restriction
    ... The logon failures decreased signigicantly but are still there. ... workstation from which the login originates. ... account's likely logged-into workstation, check if ...
    (microsoft.public.win2000.security)