Solved

Every 5 seconds I see a Failure Audit 529 - Logon type 2 - Logon process advapi - User account is my domain admin

Posted on 2008-06-16
3
1,041 Views
Last Modified: 2013-12-04
I have a Windows 2003 domain controller with all MS updates installed. It's running SQL, IIS, and of course all DC functions. Every 5 seconds in my security log I get a Failure Audit 529. See below:

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:                            DOMAIN ADMIN
       Domain:            OUR DOMAIN
       Logon Type:      2
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      DC SERVER NAME
       Caller User Name:      DOMAIN ADMIN
       Caller Domain:      OUR DOMAIN
       Caller Logon ID:      (0x0,0x2471B)
       Caller Process ID:      2748
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

I have searched and searched for a solution. I've heard it could be IIS, a virus, a hacker... None of those seem to lead me anywhere. The fact that it's happening exactly every 5 seconds makes me think it's a process.

I've stopped all IIS services to see if was that and I still get the event every 5 seconds. I've done complete virus scans and found nothing. I've checked all tasks running on the computer and they have the correct login info and don't run every 5 seconds. I've also looked at all services that use the domain admin account and all are started and running (so the passwords are correct).

Any ideas? I've seen the MS KB articles, I've seen the other experts-exchange articles, I've seen the articles on other sites from a google search... I post here when I've tried everything else. Thanks for your help.
0
Comment
Question by:BigZWillis
  • 2
3 Comments
 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 21798223
What is the process with PID 2748?
0
 

Author Comment

by:BigZWillis
ID: 21798397
We are on the right track. Good catch... I didn't notice that until I pasted the full error. Anyway, it's the Reporting Services Service. So has to do with SQL. I've configured reporting services with the correct username and password. I just double checked the service and in the report services configuration too. However, when I stop the service the event does stop logging... I need reporting services. Any suggestions? Thanks.
0
 
LVL 32

Expert Comment

by:r-k
ID: 21798481
Thanks :) Glad I was able to help a bit. Did you get the problem solved?
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question