Solved

Every 5 seconds I see a Failure Audit 529 - Logon type 2 - Logon process advapi - User account is my domain admin

Posted on 2008-06-16
3
1,040 Views
Last Modified: 2013-12-04
I have a Windows 2003 domain controller with all MS updates installed. It's running SQL, IIS, and of course all DC functions. Every 5 seconds in my security log I get a Failure Audit 529. See below:

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:                            DOMAIN ADMIN
       Domain:            OUR DOMAIN
       Logon Type:      2
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      DC SERVER NAME
       Caller User Name:      DOMAIN ADMIN
       Caller Domain:      OUR DOMAIN
       Caller Logon ID:      (0x0,0x2471B)
       Caller Process ID:      2748
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

I have searched and searched for a solution. I've heard it could be IIS, a virus, a hacker... None of those seem to lead me anywhere. The fact that it's happening exactly every 5 seconds makes me think it's a process.

I've stopped all IIS services to see if was that and I still get the event every 5 seconds. I've done complete virus scans and found nothing. I've checked all tasks running on the computer and they have the correct login info and don't run every 5 seconds. I've also looked at all services that use the domain admin account and all are started and running (so the passwords are correct).

Any ideas? I've seen the MS KB articles, I've seen the other experts-exchange articles, I've seen the articles on other sites from a google search... I post here when I've tried everything else. Thanks for your help.
0
Comment
Question by:BigZWillis
  • 2
3 Comments
 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 21798223
What is the process with PID 2748?
0
 

Author Comment

by:BigZWillis
ID: 21798397
We are on the right track. Good catch... I didn't notice that until I pasted the full error. Anyway, it's the Reporting Services Service. So has to do with SQL. I've configured reporting services with the correct username and password. I just double checked the service and in the report services configuration too. However, when I stop the service the event does stop logging... I need reporting services. Any suggestions? Thanks.
0
 
LVL 32

Expert Comment

by:r-k
ID: 21798481
Thanks :) Glad I was able to help a bit. Did you get the problem solved?
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question