MitchV85
asked on
Event 680; Error code 0xC0000064; Failed Logon
I am currently encountering an issue on a Windows Server 2003, Standard Edition, SP2 server that is running an FTP site in IIS. The Security log on this server is logging multiple Account Logon failure audits for two accounts. There is no set time interval for the occurance of these failed logon attempts, but they do occur approximately 65 times each day. The contents of the event log entry have been listed below:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 2/4/2009
Time: 12:40:49 PM
User: NT AUTHORITY\SYSTEM
Computer: Server1
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: BobUser
Source Workstation: Server1
Error Code: 0xC0000064
It is my understanding that the 0xC0000064 error code indicates that an account does not exist, however I have confirmed this account's existence in Active Directory. The account is not disabled and is not locked out.
Also, each time before this 680 event is logged, the following event occurs indicating a successful logon of the account in question:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 576
Date: 2/4/2009
Time: 3:50:57 AM
User: Domain1\BobUser
Computer: Server1
Description:
Special privileges assigned to new logon:
User Name: BobUser
Domain: Domain1
Logon ID: (0x0,0x2BFF8836)
Privileges: SeTcbPrivilege
SeAssignPrimaryTokenPrivil
SeImpersonatePrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivile
SeLoadDriverPrivilege
SeSecurityPrivilege
Thank you in advance to anyone who can provide some insight into this issue as I am currently stumped.
-Mitch
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 2/4/2009
Time: 12:40:49 PM
User: NT AUTHORITY\SYSTEM
Computer: Server1
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: BobUser
Source Workstation: Server1
Error Code: 0xC0000064
It is my understanding that the 0xC0000064 error code indicates that an account does not exist, however I have confirmed this account's existence in Active Directory. The account is not disabled and is not locked out.
Also, each time before this 680 event is logged, the following event occurs indicating a successful logon of the account in question:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 576
Date: 2/4/2009
Time: 3:50:57 AM
User: Domain1\BobUser
Computer: Server1
Description:
Special privileges assigned to new logon:
User Name: BobUser
Domain: Domain1
Logon ID: (0x0,0x2BFF8836)
Privileges: SeTcbPrivilege
SeAssignPrimaryTokenPrivil
SeImpersonatePrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivile
SeLoadDriverPrivilege
SeSecurityPrivilege
Thank you in advance to anyone who can provide some insight into this issue as I am currently stumped.
-Mitch
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the response Servoadmin.
1 and 3. As a follow up, I notice that I did not clarify that this account is not a user's account. It is an account that is being used as a service account on this server. Because of this I cannot determine if it is trying to connect to the FTP site or authenticate to the domain when these failures are logged.
2. The password is strong and fulfills the requirements of the GP.
The MSKB article link that you have provided is the exact one I'm looking at now :) I'm really stumped on this one.
Thanks again for the response. Let me know if you need any additional information.
-Mitch
1 and 3. As a follow up, I notice that I did not clarify that this account is not a user's account. It is an account that is being used as a service account on this server. Because of this I cannot determine if it is trying to connect to the FTP site or authenticate to the domain when these failures are logged.
2. The password is strong and fulfills the requirements of the GP.
The MSKB article link that you have provided is the exact one I'm looking at now :) I'm really stumped on this one.
Thanks again for the response. Let me know if you need any additional information.
-Mitch
ASKER
Can anyone else provide any insight on this?
password changed but some applications are still trying to use the old password
2. Is the user PWD strong and fullfils the GP... Else make it Strong with alphabets and numerics.
3. Does he sucessfully logs in and access files in FTP account or his login fails compltly.. ?
JFR -->
https://www.experts-exchange.com/questions/22791294/Security-Event-Log-Error-680-constantly-appearing.html