Failure Audits after changing ISUR account (event id 680 and 529)

windylad
windylad used Ask the Experts™
on
Hi,

I created a new IUSR account as per the following article to help prevent any potential security breach.
http://www.microsoft.com/technet/community/columns/insider/iisi1102.mspx
I set a good password and made the account just like the existing account.
Then i went into IIS manager, right-clicked on 'web sites', selected 'Directory Security' and in there i selected my new account as the new account for anonymous access.

Now i have a huge spam of failure audits on this server in my event logs (event id 680 and 529)
What could be causing these? - they are mainly coming from one other server in particular.

Event Type:    Failure Audit
Source:    Security
Event Category:    Logon/Logoff
Event ID:    529

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      
       Domain:            SERVER1
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      SERVER2
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.1.214
       Source Port:      3876

Category: Account Logon
Event ID 680
NT AUTHORITY\SYSTEM
COMPUTER: SERVER1

Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      
 Source Workstation:      SERVER2
 Error Code:      0xC0000064


Any help is appreciated.
Thanks in advance
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Take a look at this, it seems you want to check if IIS is set to sync the password.

IIS 6.0: HOW TO: Configure IIS to Control the Anonymous Password
http://support.microsoft.com/kb/332167/en-us

Author

Commented:
Thanks for the reply.
I thought that using sub-authentication "involves some security risk", the purpose of changing things in the first place was to tighten security but if you definately feel it is necessary, i will try it. How do i run IIS in isolation mode and will it cause any more problems?

One thing to note is that when i restart the IIS admin service, i get a success audit from this server by my new IIS account on the server - would this not suggest that the password side of things on the server is ok?
The source workstation (server2) that is trying to interact with this server seems to have an incorrect password.
All i have is WSUS, Trend Officescan and sharepoint on it.

I also have no clue why that server wants to use the one i'm working on - any way of finding out?

I'm fairly new to IIS so just a bit reluctlant to try some things out - dont know alot about metabase manipulation either. Thanks again!

Author

Commented:
also, even browsing other computers in explorer from another workstation or even logging onto computers via remote desktop is now causing many security failures in the logs on the server with IIS on it - what could be causing this?

Author

Commented:
Ok, i've put everything back to the way it was (with the old account), using this link and no spam yet:
http://blogs.msdn.com/jiruss/archive/2006/05/24/iusr-account-password-out-of-sync-help-owa-is-not-working.aspx

If anyone has any idea why i saw what i did in my previous post, please let me know
PAQed with points refunded (500)

Computer101
EE Admin

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial