Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 842
  • Last Modified:

Repeated 529 errors in the Security Event Log

In cleaning up the event logs I noticed Failure Audits in the Security Event Log (Event 529) at regular intervals.  5 failed logon attempts in the same instance every 8 hours.  This is a Windows 2003 Server running Exchange Server 2003.  The IP address that is being reported is the 2000 DC running AD.  I am about to sniff the logon attempt at its next interval but I was hoping to avoid the waiting game.  Anyone familiar with system services or process that attempt to run every 8 hours by default or any other ideas?

     Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.28.242
       Source Port:      0


0
MarkWThompson
Asked:
MarkWThompson
  • 5
  • 3
  • 2
2 Solutions
 
The_IT_GarageCommented:
Sounds like the server at IP 192.168.28.242 might be running a service under a domain account and the password is invalid (it might have changed but the services on the server weren't updated). Check the running services on 192.168.28.242 and look at the "log on as" field.
0
 
Tim HolmanCommented:
This article is quite informative:

http://support.microsoft.com/?id=326985

Hop onto 192.168.28.242 and verify the event log - must be something in here telling you which process failed due to an incorrect logon?
0
 
MarkWThompsonAuthor Commented:
Thought the same thing but can't find anything
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
MarkWThompsonAuthor Commented:
everything on both servers is Local System or Network System.  Can't seem to find any leader information that will start the chain reaction.
0
 
Tim HolmanCommented:
Do you have native support enabled on the W2K machine?  Maybe you have some NTLM authentication trying to sneak in?
An Ethereal trace would help out here to help diagnose the source traffic.
0
 
MarkWThompsonAuthor Commented:
Yeah, I'm mad at Ehtereal right now.  I started the trace and the error produced itself 3 minutes after I closed it up.  I have to wait 16 more hours unless I want to xshoot at 3AM!!!Grrrr!  Yes it is set for Native support and yes I did find that it is most likely Kerberose however I will not be able to start the Kerberos Key Distribution Service on this server because it is not a DC for AD.  The DC attempting the contact is an AD DC but for replication purposed the contacted server is not.  Any more ideas.
0
 
The_IT_GarageCommented:
Do the 529 errors go back to the beginning of the log? Probably so, but it's be interesting to kow if things were finr before some round of patching/ Do you save the logs before deleteing them? (read: do you have old security logs?).

Any servies set to automatic on 192.168.28.242 that aren't running? Does 192.168.28.242 do anythng other than handle login requests? WSUS or Dell OpenManage or something similar?
0
 
MarkWThompsonAuthor Commented:
Ok I just has a brain fart!  I gave you wrong facts.  The AD DC is 2k and running in mixed mode (this is the 3034 error PC) because we have a 2003 server (the one with the 529 errors) running on the network also.  Now that I have that straight, the logs were cleared on 5/12 and they do go back to then.
0
 
Tim HolmanCommented:
Look in your scheduler tasks.  If not, probably some form of replication attempt.  Is the 2003 server running in mixed mode too?
0
 
MarkWThompsonAuthor Commented:
Thanks guys!  Just got another issue more important than this one.  Thanks for your help!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now