Re: Failure Audit - Logon/Logoff - Event ID 529

Hi Anthony,

Thank you very much for your response. It was very informative.

I should apologize for replacing the private IP address 130.xxx. with
321.xxx. Those IP addresses are from inside intranet.

I thought if those failed attempts were for failed "IIS logon" there should
be some trace of those IPs in the IIS log. I checked the IIS log and none of
those IPs were in the log.

I don't have HTTP logon on that server. Access is restricted by the File
System permission and application logon. Should we still expect IIS logon?

If these are from the network, why the messages are this much incomplete
compare to other failed attempts which has at least real machine name?

Thank you again for your help.

Cheers
Sam



"Anthony [MVP]" <anthony@xxxxxxxxxxxx> wrote in message
news:uUlHjkWeJHA.2096@xxxxxxxxxxxxxxxxxxxxxxx
Sam,
0) Type 3 is a network or IIS logon. This one is over NTLM
1) It means the client is in a workgroup
2) The client name
3) No user name supplied.

I think the question you should be asking is how a client on a
321.32.xxx.xxx network gets to have access to your intranet IIS,

Anthony,
http://www.airdesk.com



"SamD" <SamdWithNoEmail.com> wrote in message
news:ekFaiw5dJHA.4180@xxxxxxxxxxxxxxxxxxxxxxx
Hi all,

My Windows Server 2003 which works as a Web Server inside an intranet
shows a growing number of the following Failure Audits.
------------------------------------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 1/14/2009
Time: 9:32:44 AM
User: NT AUTHORITY\SYSTEM
Computer: MYSERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain: WORKGROUP
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: lQPxd6fSQgERESGK
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 321.32.321.32
Source Port: 0
------------------------------------------------------------------------------

Source Network Addresses are not from our authorized users.

My Questions:

1) What does "Domain: WORKGROUP" refer to? (this server is in another
domain) ("WORKGROUP" is not a usual name in this intranet)

2) What does this meaningless " Workstation Name: lQPxd6fSQgERESGK" refer
to? (our computer names has a different name format)

3) Why User Name is blank?

Any comment and help would be appreciated.

Cheers
Sam




.

Relevant Pages

  • Re: Event ID 529
    ... First is a hardware firewall that sits on the perimeter of your network and requires that your users give user names and passwords, different from those for the network. ... Sometimes the Logon Type is different, also the User Name can be ... Computer: <SERVER NAME> ... Caller User Name: $ ...
    (microsoft.public.windows.server.sbs)
  • Re: Security Event 529...please help....
    ... The account that is creating the logon error is the system account, ... I have tried rebooting the server several times. ... the network that is only turned on occasionally. ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Re: Security Event 529...please help....
    ... Is you laptop name SBS1? ... This can happen if you have a presistent network connenction or a service ... Logon Failure: ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Re: Event ID 529 Question
    ... Logon Failure: ... Caller User Name: SERVER01$ ... There is no "Mickey" user on our network, so it worries me that we have a hacker trying to get in using brute force logins as this occurred 45 times. ... Usually when you get this you see a source port and source IP Address, ...
    (microsoft.public.windows.server.sbs)
  • Re: Help needed with Critical Errors in Security Log
    ... but you can look for the Caller Process ID. ... Logon Type 5 is Service logon issue- service uses an account. ... How to Setup Windows, Network, VPN & Remote Access on ...
    (microsoft.public.windows.server.sbs)
Quantcast