kserritt
asked on
MSFTPSVC System Event Error
Inside the event log for our server I am getting the following "System Error":
Event Type: Warning
Event Source: MSFTPSVC
Event Category: None
Event ID: 100
Date: 12/5/2007
Time: 7:27:24 PM
User: N/A
Computer: ASEMAIL
Description:
The server was unable to logon the Windows NT account 'vipafw' due to the following error: Logon failure: account currently disabled. The data is the error code.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 33 05 00 00 3...
I had a server that went down yesterday evening. I don't see anything in the application or any of the other event logs. But the above started yesterday and continued for several hours and occured every couple seconds. Is this from someone trying to log into our FTP site? Could this cause the server to crash? Any ideas on how I can keep this from happening?
Event Type: Warning
Event Source: MSFTPSVC
Event Category: None
Event ID: 100
Date: 12/5/2007
Time: 7:27:24 PM
User: N/A
Computer: ASEMAIL
Description:
The server was unable to logon the Windows NT account 'vipafw' due to the following error: Logon failure: account currently disabled. The data is the error code.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 33 05 00 00 3...
I had a server that went down yesterday evening. I don't see anything in the application or any of the other event logs. But the above started yesterday and continued for several hours and occured every couple seconds. Is this from someone trying to log into our FTP site? Could this cause the server to crash? Any ideas on how I can keep this from happening?
ASKER
There are only a few failure audits under the security event while there are several hundred warnings under system event. The failure audit is:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 531
Date: 12/5/2007
Time: 7:27:24 PM
User: NT AUTHORITY\SYSTEM
Computer: ASEMAIL
Description:
Logon Failure:
Reason: Account currently disabled
User Name: vipafw
Domain: ASE
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Workstation Name: ASEMAIL
Caller User Name: ASEMAIL$
Caller Domain: ASE
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1800
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
So how do I keep this type of thing from happening? Do you think this would crash the server?
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 531
Date: 12/5/2007
Time: 7:27:24 PM
User: NT AUTHORITY\SYSTEM
Computer: ASEMAIL
Description:
Logon Failure:
Reason: Account currently disabled
User Name: vipafw
Domain: ASE
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: ASEMAIL
Caller User Name: ASEMAIL$
Caller Domain: ASE
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1800
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
So how do I keep this type of thing from happening? Do you think this would crash the server?
Event ID 531 is telling you that too many attempts were made and it is shutting down the services. Event 100 is basically saying the same thing.
I am assuming ASEMAIL is your mail computer. Do you know who vipafw is, because your mail server is trying to contact that user using the system's credentials, not a specified FTP set of credentials? Why this is knocking down FTP has yet to be determined.
Maybe you are using FTP to transport your mail from one site to another.
I am assuming ASEMAIL is your mail computer. Do you know who vipafw is, because your mail server is trying to contact that user using the system's credentials, not a specified FTP set of credentials? Why this is knocking down FTP has yet to be determined.
Maybe you are using FTP to transport your mail from one site to another.
ASKER
The vipafw user was a client we had a user set up for to access our FTP site. That account has been disabled.
Was the mail account for vipafw removed or disabled, because it sounds like your mail server is trying to connect to vipafw by using FTP?
ASKER
To my knowledge the vipafw user never had a mailbox it was just a user account added to AD so the client could access our FTP site. I wasn't around when the user was added so not positive about it never having a mailbox but when I go to Exchange System Manager there is no mailbox there for the user enabled or disabled.
ASKER
Ok going back in the Security Log further there are more failure audits for earlier in the day yesterday. They are occuring about every 3 to 5 seconds beginning at 8:00 in the morning. The 2 errors are:
First Error:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 12/5/2007
Time: 8:02:03 AM
User: NT AUTHORITY\SYSTEM
Computer: ASEMAIL
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Logon account: Administrator
Source Workstation: ASEMAIL
Error Code: 0xC000006A
Second Error:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/5/2007
Time: 8:02:03 AM
User: NT AUTHORITY\SYSTEM
Computer: ASEMAIL
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: ASE
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Workstation Name: ASEMAIL
Caller User Name: ASEMAIL$
Caller Domain: ASE
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1800
Transited Services: -
Source Network Address: -
Source Port: -
That is the 2 errors that just repeat every few seconds for 4 hours or so.
First Error:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 12/5/2007
Time: 8:02:03 AM
User: NT AUTHORITY\SYSTEM
Computer: ASEMAIL
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: Administrator
Source Workstation: ASEMAIL
Error Code: 0xC000006A
Second Error:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/5/2007
Time: 8:02:03 AM
User: NT AUTHORITY\SYSTEM
Computer: ASEMAIL
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: ASE
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: ASEMAIL
Caller User Name: ASEMAIL$
Caller Domain: ASE
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1800
Transited Services: -
Source Network Address: -
Source Port: -
That is the 2 errors that just repeat every few seconds for 4 hours or so.
Check your FTP log files.
They are usually placed in %windir%\system32\logfiles \msftpsvc1
Checking them may provide more insight. Check out the times when the FTP service is failing and see if we can narrow it down.
I don't know if you are familiar with event ID's web site. You can look up solutions to many event IDs. Here is an example.
http://www.eventid.net/display.asp?eventid=100&eventno=489&source=MSFTPSVC&phase=1
For now, try disabling Netbios over TCP/IP and re-enabling it.
They are usually placed in %windir%\system32\logfiles
Checking them may provide more insight. Check out the times when the FTP service is failing and see if we can narrow it down.
I don't know if you are familiar with event ID's web site. You can look up solutions to many event IDs. Here is an example.
http://www.eventid.net/display.asp?eventid=100&eventno=489&source=MSFTPSVC&phase=1
For now, try disabling Netbios over TCP/IP and re-enabling it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
On your FTP machine, you should see security event, in event viewer, related to this failure to logon.