Solved

Every 5 seconds I see a Failure Audit 529 - Logon type 2 - Logon process advapi - User account is my domain admin

Posted on 2008-06-16
3
1,043 Views
Last Modified: 2013-12-04
I have a Windows 2003 domain controller with all MS updates installed. It's running SQL, IIS, and of course all DC functions. Every 5 seconds in my security log I get a Failure Audit 529. See below:

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:                            DOMAIN ADMIN
       Domain:            OUR DOMAIN
       Logon Type:      2
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      DC SERVER NAME
       Caller User Name:      DOMAIN ADMIN
       Caller Domain:      OUR DOMAIN
       Caller Logon ID:      (0x0,0x2471B)
       Caller Process ID:      2748
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

I have searched and searched for a solution. I've heard it could be IIS, a virus, a hacker... None of those seem to lead me anywhere. The fact that it's happening exactly every 5 seconds makes me think it's a process.

I've stopped all IIS services to see if was that and I still get the event every 5 seconds. I've done complete virus scans and found nothing. I've checked all tasks running on the computer and they have the correct login info and don't run every 5 seconds. I've also looked at all services that use the domain admin account and all are started and running (so the passwords are correct).

Any ideas? I've seen the MS KB articles, I've seen the other experts-exchange articles, I've seen the articles on other sites from a google search... I post here when I've tried everything else. Thanks for your help.
0
Comment
Question by:BigZWillis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 21798223
What is the process with PID 2748?
0
 

Author Comment

by:BigZWillis
ID: 21798397
We are on the right track. Good catch... I didn't notice that until I pasted the full error. Anyway, it's the Reporting Services Service. So has to do with SQL. I've configured reporting services with the correct username and password. I just double checked the service and in the report services configuration too. However, when I stop the service the event does stop logging... I need reporting services. Any suggestions? Thanks.
0
 
LVL 32

Expert Comment

by:r-k
ID: 21798481
Thanks :) Glad I was able to help a bit. Did you get the problem solved?
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Learn about cloud computing and its benefits for small business owners.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question