Re: Failure Audit - Logon/Logoff - Event ID 529
- From: "Anthony [MVP]" <anthony@xxxxxxxxxxxx>
- Date: Wed, 28 Jan 2009 16:03:45 -0000
Hi Sam,
Not sure what your question is.
The workstation has that name. If you don't recognise it, then it is not one of yours. Or possibly it is a new workstation or VM being built with a default name like that,
Anthony
http://www.airdesk.com
"SamD" <SamdWithNoEmail.com> wrote in message news:eGAn2W3eJHA.3904@xxxxxxxxxxxxxxxxxxxxxxx
Hi Anthony,.
Thank you very much for your response. It was very informative.
I should apologize for replacing the private IP address 130.xxx. with 321.xxx. Those IP addresses are from inside intranet.
I thought if those failed attempts were for failed "IIS logon" there should be some trace of those IPs in the IIS log. I checked the IIS log and none of those IPs were in the log.
I don't have HTTP logon on that server. Access is restricted by the File System permission and application logon. Should we still expect IIS logon?
If these are from the network, why the messages are this much incomplete compare to other failed attempts which has at least real machine name?
Thank you again for your help.
Cheers
Sam
"Anthony [MVP]" <anthony@xxxxxxxxxxxx> wrote in message news:uUlHjkWeJHA.2096@xxxxxxxxxxxxxxxxxxxxxxxSam,
0) Type 3 is a network or IIS logon. This one is over NTLM
1) It means the client is in a workgroup
2) The client name
3) No user name supplied.
I think the question you should be asking is how a client on a 321.32.xxx.xxx network gets to have access to your intranet IIS,
Anthony,
http://www.airdesk.com
"SamD" <SamdWithNoEmail.com> wrote in message news:ekFaiw5dJHA.4180@xxxxxxxxxxxxxxxxxxxxxxxHi all,
My Windows Server 2003 which works as a Web Server inside an intranet shows a growing number of the following Failure Audits.
------------------------------------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 1/14/2009
Time: 9:32:44 AM
User: NT AUTHORITY\SYSTEM
Computer: MYSERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain: WORKGROUP
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: lQPxd6fSQgERESGK
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 321.32.321.32
Source Port: 0
------------------------------------------------------------------------------
Source Network Addresses are not from our authorized users.
My Questions:
1) What does "Domain: WORKGROUP" refer to? (this server is in another domain) ("WORKGROUP" is not a usual name in this intranet)
2) What does this meaningless " Workstation Name: lQPxd6fSQgERESGK" refer to? (our computer names has a different name format)
3) Why User Name is blank?
Any comment and help would be appreciated.
Cheers
Sam
- References:
- Failure Audit - Logon/Logoff - Event ID 529
- From: SamD
- Re: Failure Audit - Logon/Logoff - Event ID 529
- From: Anthony [MVP]
- Re: Failure Audit - Logon/Logoff - Event ID 529
- From: SamD
- Failure Audit - Logon/Logoff - Event ID 529
- Prev by Date: Re: Service account modified
- Next by Date: Re: Automatic CRL pulication immediately after certificate revocation
- Previous by thread: Re: Failure Audit - Logon/Logoff - Event ID 529
- Next by thread: EVENT 675
- Index(es):
Relevant Pages
|
