Event ID 537 - Security/Kerebos on Win 2003 Server

Posted on 2007-10-16
Last Modified: 2008-08-27
i am seeing the following in the Security log of my windows 2003 server:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Logon Type:      3
       Logon Process:      Authz  
       Authentication Package:      Kerberos
       Workstation Name:      SERVERNAME
       Status code:      0xC000040A
       Substatus code:      0x0
       Caller User Name:      SERVERNAME$
       Caller Domain:      DOMAINNAME
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      840
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

source: security, event id 537, user: NT authority/system

i'm not seeing a pattern for when it comes up... sometimes 15min apart....sometimes only a few milliseconds.
Question by:zephyr_hex
    LVL 4

    Expert Comment

    Status code: 0xC000040A
    Looks like a service locally having problems with authentication (e.g. service running under system credentials?)

    Are you using diskkeeper? Found some hints in a different forum that updating diskkeeper to a newer version and setting firewall to manual instead of disabled did solve th problem in one case.

    Do you have IIS running on this machine?
    LVL 42

    Author Comment

    i'm not using diskkeeper.  i saw the posts in the other forum that pertained to diskkeeper...

    yes, i do have IIS running on this computer (and wss 3.0)
    LVL 4

    Expert Comment

    Could you identify the caller process id (840 in your event example above) in Task Manager (Tab Processes) if you add the PID (Process Identifier) to the colums?
    LVL 42

    Author Comment

    i tried adding that column to task manager and don't see pid 840.  however, this is a terminal server, and so i don't see the pids from other sessions.

    is there a way to dump all pids from the cmd line?
    LVL 4

    Accepted Solution

    pslist.exe from the former SYSINTERNALS. Check Resource Kit Tools.

    You could query the process list remotely in a command prompt with a scheduled task (e.g.) write this process list into a TXT file every 5 minutes, then after the process was killed checkout your last txt file what process it was.

    pslist \\servername  

    There are also options available for connection with a different user / PW

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
    When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
    Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now