Event ID 537 - Security/Kerebos on Win 2003 Server
i am seeing the following in the Security log of my windows 2003 server:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Authz
Authentication Package: Kerberos
Workstation Name: SERVERNAME
Status code: 0xC000040A
Substatus code: 0x0
Caller User Name: SERVERNAME$
Caller Domain: DOMAINNAME
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 840
Transited Services: -
Source Network Address: -
Source Port: -
source: security, event id 537, user: NT authority/system
i'm not seeing a pattern for when it comes up... sometimes 15min apart....sometimes only a few milliseconds.
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Authz
Authentication Package: Kerberos
Workstation Name: SERVERNAME
Status code: 0xC000040A
Substatus code: 0x0
Caller User Name: SERVERNAME$
Caller Domain: DOMAINNAME
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 840
Transited Services: -
Source Network Address: -
Source Port: -
source: security, event id 537, user: NT authority/system
i'm not seeing a pattern for when it comes up... sometimes 15min apart....sometimes only a few milliseconds.
ASKER
i'm not using diskkeeper. i saw the posts in the other forum that pertained to diskkeeper...
yes, i do have IIS running on this computer (and wss 3.0)
yes, i do have IIS running on this computer (and wss 3.0)
Could you identify the caller process id (840 in your event example above) in Task Manager (Tab Processes) if you add the PID (Process Identifier) to the colums?
ASKER
i tried adding that column to task manager and don't see pid 840. however, this is a terminal server, and so i don't see the pids from other sessions.
is there a way to dump all pids from the cmd line?
is there a way to dump all pids from the cmd line?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
relates to STATUS_NO_S4U_PROT_SUPPORT
Looks like a service locally having problems with authentication (e.g. service running under system credentials?)
Are you using diskkeeper? Found some hints in a different forum that updating diskkeeper to a newer version and setting firewall to manual instead of disabled did solve th problem in one case.
Do you have IIS running on this machine?