Failure Audits after changing ISUR account (event id 680 and 529)

windylad used Ask the Experts™

I created a new IUSR account as per the following article to help prevent any potential security breach.
I set a good password and made the account just like the existing account.
Then i went into IIS manager, right-clicked on 'web sites', selected 'Directory Security' and in there i selected my new account as the new account for anonymous access.

Now i have a huge spam of failure audits on this server in my event logs (event id 680 and 529)
What could be causing these? - they are mainly coming from one other server in particular.

Event Type:    Failure Audit
Source:    Security
Event Category:    Logon/Logoff
Event ID:    529

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      
       Domain:            SERVER1
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      SERVER2
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:
       Source Port:      3876

Category: Account Logon
Event ID 680

 Logon account:      
 Source Workstation:      SERVER2
 Error Code:      0xC0000064

Any help is appreciated.
Thanks in advance
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Take a look at this, it seems you want to check if IIS is set to sync the password.

IIS 6.0: HOW TO: Configure IIS to Control the Anonymous Password


Thanks for the reply.
I thought that using sub-authentication "involves some security risk", the purpose of changing things in the first place was to tighten security but if you definately feel it is necessary, i will try it. How do i run IIS in isolation mode and will it cause any more problems?

One thing to note is that when i restart the IIS admin service, i get a success audit from this server by my new IIS account on the server - would this not suggest that the password side of things on the server is ok?
The source workstation (server2) that is trying to interact with this server seems to have an incorrect password.
All i have is WSUS, Trend Officescan and sharepoint on it.

I also have no clue why that server wants to use the one i'm working on - any way of finding out?

I'm fairly new to IIS so just a bit reluctlant to try some things out - dont know alot about metabase manipulation either. Thanks again!


also, even browsing other computers in explorer from another workstation or even logging onto computers via remote desktop is now causing many security failures in the logs on the server with IIS on it - what could be causing this?


Ok, i've put everything back to the way it was (with the old account), using this link and no spam yet:

If anyone has any idea why i saw what i did in my previous post, please let me know
PAQed with points refunded (500)

EE Admin

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial