Solved

Every 5 seconds I see a Failure Audit 529 - Logon type 2 - Logon process advapi - User account is my domain admin

Posted on 2008-06-16
3
1,028 Views
Last Modified: 2013-12-04
I have a Windows 2003 domain controller with all MS updates installed. It's running SQL, IIS, and of course all DC functions. Every 5 seconds in my security log I get a Failure Audit 529. See below:

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:                            DOMAIN ADMIN
       Domain:            OUR DOMAIN
       Logon Type:      2
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      DC SERVER NAME
       Caller User Name:      DOMAIN ADMIN
       Caller Domain:      OUR DOMAIN
       Caller Logon ID:      (0x0,0x2471B)
       Caller Process ID:      2748
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

I have searched and searched for a solution. I've heard it could be IIS, a virus, a hacker... None of those seem to lead me anywhere. The fact that it's happening exactly every 5 seconds makes me think it's a process.

I've stopped all IIS services to see if was that and I still get the event every 5 seconds. I've done complete virus scans and found nothing. I've checked all tasks running on the computer and they have the correct login info and don't run every 5 seconds. I've also looked at all services that use the domain admin account and all are started and running (so the passwords are correct).

Any ideas? I've seen the MS KB articles, I've seen the other experts-exchange articles, I've seen the articles on other sites from a google search... I post here when I've tried everything else. Thanks for your help.
0
Comment
Question by:BigZWillis
  • 2
3 Comments
 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 21798223
What is the process with PID 2748?
0
 

Author Comment

by:BigZWillis
ID: 21798397
We are on the right track. Good catch... I didn't notice that until I pasted the full error. Anyway, it's the Reporting Services Service. So has to do with SQL. I've configured reporting services with the correct username and password. I just double checked the service and in the report services configuration too. However, when I stop the service the event does stop logging... I need reporting services. Any suggestions? Thanks.
0
 
LVL 32

Expert Comment

by:r-k
ID: 21798481
Thanks :) Glad I was able to help a bit. Did you get the problem solved?
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now