Follow-up to Empty 529 Events in Security Log
- From: "Buddy" <bpub@xxxxxxxxxxxxx>
- Date: 27 Jul 2006 09:02:09 -0700
I am getting similar 529 events where only the IP is listed. There
will be about 20 entries in a row with the same IP. Why can't the
kerberos ticket be decrypted? What would cause this to occur? Most
importantly, does this sound like suspicious activity or can I ignore
it?
Please respond to this newsgroup.
1 From: ML - view profile
Date: Thurs, Aug 4 2005 7:01 am
Email: "ML" <linde...@xxxxxxxxxxxxx>
Groups: microsoft.public.windows.server.security
Not yet ratedRating:
show options
Reply | Reply to Author | Forward | Print | Individual Message | Show
original | Report Abuse | Find messages by this author
Hi!
I'm getting numerous event 529s on a W2K3 SP1 server on our network.
However, all that is shown in the event is the following. So apart from
having an IP there's nothing else. Why are the other fields left blank?
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 04/08/2005
Time: 12:45:03
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.243
Source Port: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Reply Rate this post: Text for clearing space
2 From: Eric Fitzgerald [MSFT] - view profile
Date: Wed, May 17 2006 1:48 pm
Email: "Eric Fitzgerald [MSFT]" <e...@xxxxxxxxxxxxxxxxxxxx>
Groups: microsoft.public.windows.server.security
Not yet ratedRating:
show options
Reply | Reply to Author | Forward | Print | Individual Message | Show
original | Report Abuse | Find messages by this author
Kerberos logon failure events sometimes show up blank like this, when
the
ticket can't be decrypted (and therefore the machine performing the
logon
can't extract the information needed for the audit event.
Eric
.
- Follow-Ups:
- Re: Follow-up to Empty 529 Events in Security Log
- From: Eric Fitzgerald [MSFT]
- Re: Follow-up to Empty 529 Events in Security Log
- Prev by Date: Administrator Group Share Permissions
- Next by Date: Re: Administrator Group Share Permissions
- Previous by thread: Administrator Group Share Permissions
- Next by thread: Re: Follow-up to Empty 529 Events in Security Log
- Index(es):
