lancesaville
asked on
Failure Audits in Security Log for service account user.
Each day in my SBS2003 report, I see two errors that I can't seem to find the fix for. I originally thought some service on the DC needs the service user's password updated, but everything appears in order and i'm still getting these two errors each day from the DC. They happen back to back at the same time, usually up to 20 occurrences each day. Oh and to bypass the advapi virus posts that will come, this machine is virus-free according to symantec installed software 10.2 Corp, and trendmicro/bitdefender online scans. The advapi process listed below is NOT an advapi.exe virus, its the IIS process. Just in case that comes up in anyone's mind :)
The first event is:
--------------------------
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: serviceacct
Source Workstation: OURSBS2003DC
Error Code: 0xC000006A
--------------------------
The second event, from same exact time is:
--------------------------
Reason: Unknown user name or bad password
User Name: serviceacct
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: OURSBS2003DC
Caller User Name: OURSBS2003DC$
Caller Domain: SBS
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2084
Transited Services: -
Source Network Address: -
Source Port: -
--------------------------
The first event is:
--------------------------
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: serviceacct
Source Workstation: OURSBS2003DC
Error Code: 0xC000006A
--------------------------
The second event, from same exact time is:
--------------------------
Reason: Unknown user name or bad password
User Name: serviceacct
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: OURSBS2003DC
Caller User Name: OURSBS2003DC$
Caller Domain: SBS
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2084
Transited Services: -
Source Network Address: -
Source Port: -
--------------------------
Brian Pierce
It would seem that the service (or scheduled task) is attempting to use a username/password that has been changed. You should create a dedicated account fot the service and set both account and password to "does not expire" and use that. Don't use active user accounts with services (or scheduled tasks)
ASKER
This account is a service acct and that's all it does. It's password does not expire. Is there any way looking at the codes provided to tell what service or sched task is trying to run? I checked everything in services and sched tasks before posting and they all contain the service user's acct, and no sched tasks fail to run each day and no services fail to start each day.
I'm not so sure it's a service/task with a bad password. Service logons show up as logon type 5, and scheduled tasks are type 4, but this one's a type 3, which is a network logon. The 0xC000006A error code does signify a valid user name with a bad password, so that much is correct, but I don't think a misconfigured service or task is to blame. Has this account been used for anything else, like mapping drives?
Oh, hey, I just noticed that a process ID of 2084 is given in the error. Run the "tasklist" command at a command prompt, and this will give you a list of the running processes on the system. Find the one with PID 2084, and you're that much closer to fixing it.
ASKER
running tasklists leads to IIS, which also encompasses the advapi error. We have OWA and RDP enabled for external access, could this be someone (a cracker or perhaps someone who used to work here maybe?) trying to login to OWA with the service acct ? please advise.
ASKER
oh and, no DrDave, the account was specifically created a while back to handle service authentication, it has no other duties and is not a 'used on a daily basis' user acct.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
nothing in my logs matches up to the same exact time as ANY of the events. Some are within the same hour but they are just users logging in and checking their mail. No mention of the service acct in question. Any other thoughts guys ?
ASKER
i did see on 2 occasions an entry within 1 minute of one of the errors listed as
OPTIONS / - 80 - 10.0.0.33 (an internal workstation) Microsoft-webdav-miniredir
I looked back and this seems to be going on within a min or two of the failure audits. I don't know a THING about webdav so does anyone know if this would have ANYTHING to do with the errors i'm getting. thanks guys
OPTIONS / - 80 - 10.0.0.33 (an internal workstation) Microsoft-webdav-miniredir
I looked back and this seems to be going on within a min or two of the failure audits. I don't know a THING about webdav so does anyone know if this would have ANYTHING to do with the errors i'm getting. thanks guys
ASKER
UPDATE: we do not use webdav for anything on our DC or web server.
Do all of those OPTIONS entries in the log that seem to correspond to the failure audits have that same IP address (10.0.0.33) in them? That entry in the log is apparently generated by a connection from an XP Pro client to a shared drive. Is there a PROPFIND entry (with the same address) after the OPTIONS entry? If so, it should name the share that's being accessed. You can then check that client to see if it's got a persistent mapping to the share in question.
Most of this information I'm getting from here:
http://www.wsus.info/forums/lofiversion/index.php?t1354.html
Most of this information I'm getting from here:
http://www.wsus.info/forums/lofiversion/index.php?t1354.html
ASKER
Before I went home friday, I removed ALL the old user accts from, and cleaned up the workstation in question (.33) and here we are monday morning with no errors :) The w3svc logs did the trick and led me to the problem, so DrDave242 will get the accepted solution. THANKS GUYS !
ASKER
Thanks for your help doc :)