Event ID 680

can some one tell me what the below event is refering to?? there are thousands of them for each uesr each day and happen about 15secs ap[art all day. They are all successful as you can see. I asume they are like heart beats checking for authenticity. and they happen for all users on the domian..

So what are they????
and how can i stop them / logging them??

Thank you

Event Type:      Success Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            30/01/2008
Time:            10:57:51
User:            XXdomain\usernameXX
Computer:      XXDCserverXX
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      xxUsernamexx
 Source Workstation:      xxpcnamexx
 Error Code:      0x0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
LVL 16
Aaron StreetTechnical infrastructure architectureAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cammjCommented:
Your #1 port of call for event id issues: http://www.eventid.net/display.asp?eventid=680&eventno=2267&source=Security&phase=1

:-D

good luck!
0
cammjCommented:
Sorry: your wanting this one here http://www.eventid.net/display.asp?eventid=680&eventno=8&source=Security&phase=1

It's basically just an audit policy on your domain that is auditing successful logons.

You can turn this off in your domain security policy if you wish to do so.
0
michkoCommented:
This link has instructions on how to turn off the logon auditing.
You can turn off logging of successful logins, unsuccessful logins, or both.
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=4716

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

cedarghostCommented:

Success or failure is displayed in the message. If this event indicates success, then the credentials presented were valid. The error code is 0x0 for success messages. For failure messages, the user field in the message header displays NT AUTHORITY\SYSTEM, and an NTStatus code is displayed.
If you want to turn it off type  Start / Run / gpedit.msc / OK.

go to Local Computer Policy \ Computer Configuration \ Windows Settings \ Security Settings \ Local Policy \ Audit Policy and then double-click Audit logon events and clear the Success and Failure boxes.
Press OK and you are done..
0
michkoCommented:
@cedarghost - those exact directions are spelled out in the link I gave.  Please review all information provided in previous posts to avoid posting duplicate information.  
Thank you.
michko
0
cedarghostCommented:
Well no one mentioned that error code 0x0 was a success message so I guess I didn't waste too much cyber-ink.......
0
michkoCommented:
No objection to spelling out the success or failure of the login message (although I thought it was fairly obvious as it says Success Audit, a failed login would show Failure Audit), I was pointing out that your information on how to change the auditing was duplicate info.

Just as an fyi, the following is from guidelines on answering questions:
Read Questions and Previous Posts Before Commenting

Questions often evolve over time. Experts offer possible solutions, the Asker tries them and continues to have problems, so more suggestions are offered and tried. Quite often, the original question was wasn't exactly what was intended and the Asker clarifies and restates the problem halfway down the page. It is important to read the entire thread so that you know the current situation. That will keep you from posting a duplicate answer or one that has already been shown not to work.

If you basically agree with another comment but have something more to add, remember to give credit for the original suggestion -- mention that Expert by name -- in your post.

http://www.experts-exchange.com/help.jsp#hs41
0
Aaron StreetTechnical infrastructure architectureAuthor Commented:
ok cool but why am i getting them so often? why would a user be authenticanting every 15seconds.. and not jsut some users.. i mean every user!!!!

0
cedarghostCommented:
Are you running an Exchange server?
0
michkoCommented:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.0&EvtID=680&EvtSrc=Security&LCID=1033

MS Details on this event.  This event is logged when credentials are passed to the server by either a local process (not your case) or a remote process or user.  Any process that validates back against the server, or accesses the server, should produce this log entry.  So, even though your users have signed on and are authenticated, a (or more than one) process on their workstation is causing this event.  
0
Aaron StreetTechnical infrastructure architectureAuthor Commented:
ah yes we are running exchange. so that would be one reson...

is there any way to find out what processes are doing this?

see now it makes perfect sence. the strange thing is that this dosent happen on the main site with 1000+ users.. but does at the DC at the remote sites taht only have 20 odd users???

i shall have a closer look and get back shortly! but if you have any ideas it would be great to here them!
0
cedarghostCommented:
You may want to look at which authentication types are allowed through OWA.
0
cedarghostCommented:
Hey DevilWAH, check this out, I think it may help solve your problem:
http://support.microsoft.com/kb/327843/en-us
It is a KB on troubleshooting authentication issues on OWA and Outlook.
0
Aaron StreetTechnical infrastructure architectureAuthor Commented:
but cedar this would be a failed audit surely??

these audit logs are all succesful ? I do wish the event log would log what process is trying to authenticate!!

also we dont use OWA. so this should not be causing the problem..

any moe ideas of tracing it back to the process?

0
Aaron StreetTechnical infrastructure architectureAuthor Commented:
hold on.. I may be wrong. But out proxy server. (which is actuly run by a third party and we dont have access to). authenticats users by if there user account belings to a domin security group... users in this group can access the web. users not in the group can't use the proxy..

could it be this proxy server that is using the DC to authenticate users as they try to access the internet? seeing as a lot of web pages are requested and i am assuming it would have to check each time a web request is made. would this casue a lot of authentication requests?



0
cedarghostCommented:
I bet you are right if you are not using OWA. And yes if users have to authenticate through the proxy that would cause a lot of requests, but is the proxy a part of your domain? I don't know that logon auditing would be done on a machine that is not on your domain other than in machines that are using local security policies. But I bet it is.
0
Aaron StreetTechnical infrastructure architectureAuthor Commented:
the only question woudl be though it the requests are comming rfrom the usr workstation and not the proxy server??

we have a strange set up here. we sit on a goverment network and have trust relation with there domain. so although they are third party and we dont have access to the proxy. there proxy could be sitting in there domin, but as that has a trust relation with ours then. they would just add our security group to the proxy police ( i will have to check!!)

waht fun IT is hey!! ;)
0
cedarghostCommented:
No doubt. A neverending journey.
0
Aaron StreetTechnical infrastructure architectureAuthor Commented:
Thank you both for helping me on this one. it was actualy a problem with what we where logging. (basicaly every singel thing possible!! as told to us by the contractors who helped us set up AD) so http://www.jsifaq.com/SF/Tips/Tip.aspx?id=4716 was the answer for me.

however seeing as cedar gave me some other good ideas it seems only fair you share the points.

Cheers guys
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.