asked on Failure Audits after changing ISUR account (event id 680 and 529)
Hi,
I created a new IUSR account as per the following article to help prevent any potential security breach.
http://www.microsoft.com/technet/community/columns/insider/iisi1102.mspx
I set a good password and made the account just like the existing account.
Then i went into IIS manager, right-clicked on 'web sites', selected 'Directory Security' and in there i selected my new account as the new account for anonymous access.
Now i have a huge spam of failure audits on this server in my event logs (event id 680 and 529)
What could be causing these? - they are mainly coming from one other server in particular.
Event Type: Failure Audit
Source: Security
Event Category: Logon/Logoff
Event ID: 529
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain: SERVER1
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVER2
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.214
Source Port: 3876
Category: Account Logon
Event ID 680
NT AUTHORITY\SYSTEM
COMPUTER: SERVER1
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account:
Source Workstation: SERVER2
Error Code: 0xC0000064
Any help is appreciated.
Thanks in advance
I created a new IUSR account as per the following article to help prevent any potential security breach.
http://www.microsoft.com/technet/community/columns/insider/iisi1102.mspx
I set a good password and made the account just like the existing account.
Then i went into IIS manager, right-clicked on 'web sites', selected 'Directory Security' and in there i selected my new account as the new account for anonymous access.
Now i have a huge spam of failure audits on this server in my event logs (event id 680 and 529)
What could be causing these? - they are mainly coming from one other server in particular.
Event Type: Failure Audit
Source: Security
Event Category: Logon/Logoff
Event ID: 529
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain: SERVER1
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVER2
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.214
Source Port: 3876
Category: Account Logon
Event ID 680
NT AUTHORITY\SYSTEM
COMPUTER: SERVER1
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account:
Source Workstation: SERVER2
Error Code: 0xC0000064
Any help is appreciated.
Thanks in advance
Microsoft IIS Web ServerWindows Server 2003
Last Comment
Computer101
ASKER
Thanks for the reply.
I thought that using sub-authentication "involves some security risk", the purpose of changing things in the first place was to tighten security but if you definately feel it is necessary, i will try it. How do i run IIS in isolation mode and will it cause any more problems?
One thing to note is that when i restart the IIS admin service, i get a success audit from this server by my new IIS account on the server - would this not suggest that the password side of things on the server is ok?
The source workstation (server2) that is trying to interact with this server seems to have an incorrect password.
All i have is WSUS, Trend Officescan and sharepoint on it.
I also have no clue why that server wants to use the one i'm working on - any way of finding out?
I'm fairly new to IIS so just a bit reluctlant to try some things out - dont know alot about metabase manipulation either. Thanks again!
I thought that using sub-authentication "involves some security risk", the purpose of changing things in the first place was to tighten security but if you definately feel it is necessary, i will try it. How do i run IIS in isolation mode and will it cause any more problems?
One thing to note is that when i restart the IIS admin service, i get a success audit from this server by my new IIS account on the server - would this not suggest that the password side of things on the server is ok?
The source workstation (server2) that is trying to interact with this server seems to have an incorrect password.
All i have is WSUS, Trend Officescan and sharepoint on it.
I also have no clue why that server wants to use the one i'm working on - any way of finding out?
I'm fairly new to IIS so just a bit reluctlant to try some things out - dont know alot about metabase manipulation either. Thanks again!
ASKER
also, even browsing other computers in explorer from another workstation or even logging onto computers via remote desktop is now causing many security failures in the logs on the server with IIS on it - what could be causing this?
ASKER
Ok, i've put everything back to the way it was (with the old account), using this link and no spam yet:
http://blogs.msdn.com/jiruss/archive/2006/05/24/iusr-account-password-out-of-sync-help-owa-is-not-working.aspx
If anyone has any idea why i saw what i did in my previous post, please let me know
http://blogs.msdn.com/jiruss/archive/2006/05/24/iusr-account-password-out-of-sync-help-owa-is-not-working.aspx
If anyone has any idea why i saw what i did in my previous post, please let me know
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
IIS 6.0: HOW TO: Configure IIS to Control the Anonymous Password
http://support.microsoft.com/kb/332167/en-us