Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3952
  • Last Modified:

Event ID 537 - Security/Kerebos on Win 2003 Server

i am seeing the following in the Security log of my windows 2003 server:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Logon Type:      3
       Logon Process:      Authz  
       Authentication Package:      Kerberos
       Workstation Name:      SERVERNAME
       Status code:      0xC000040A
       Substatus code:      0x0
       Caller User Name:      SERVERNAME$
       Caller Domain:      DOMAINNAME
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      840
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

source: security, event id 537, user: NT authority/system

i'm not seeing a pattern for when it comes up... sometimes 15min apart....sometimes only a few milliseconds.
zephyr_hex (Megan)
zephyr_hex (Megan)
  • 3
  • 2
1 Solution
Fridolin MansmannMaster of Business Engineering ManagementCommented:
Status code: 0xC000040A
Looks like a service locally having problems with authentication (e.g. service running under system credentials?)

Are you using diskkeeper? Found some hints in a different forum that updating diskkeeper to a newer version and setting firewall to manual instead of disabled did solve th problem in one case.

Do you have IIS running on this machine?
zephyr_hex (Megan)DeveloperAuthor Commented:
i'm not using diskkeeper.  i saw the posts in the other forum that pertained to diskkeeper...

yes, i do have IIS running on this computer (and wss 3.0)
Fridolin MansmannMaster of Business Engineering ManagementCommented:
Could you identify the caller process id (840 in your event example above) in Task Manager (Tab Processes) if you add the PID (Process Identifier) to the colums?
zephyr_hex (Megan)DeveloperAuthor Commented:
i tried adding that column to task manager and don't see pid 840.  however, this is a terminal server, and so i don't see the pids from other sessions.

is there a way to dump all pids from the cmd line?
Fridolin MansmannMaster of Business Engineering ManagementCommented:
pslist.exe from the former SYSINTERNALS. Check Resource Kit Tools.

You could query the process list remotely in a command prompt with a scheduled task (e.g.) write this process list into a TXT file every 5 minutes, then after the process was killed checkout your last txt file what process it was.

pslist \\servername  

There are also options available for connection with a different user / PW

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now