asked on How do I get rid of the error message "Reason: Unknown user name or bad password, UserName: McAfeeMVSUserin critical errors in security log in my server performance report?
I have SBS 2003 R2.
Exchange 2003.
Outlook 2003.
Every morning I get my Server Performance Report with the two same following error messages in the Critical Errors In Security Log:
Error #1 usually the domain name changes:
Source Event ID Last Occurrence Total Occurrences
Security 529 7/15/2008 3:31 PM 6 *
Logon Failure:
Reason: Unknown user name or bad password
User Name: McAfeeMVSUser
Domain: PHARMACY2
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: PHARMACY2
--------------------------
Error message # 2
Source Event ID Last Occurrence Total Occurrences
Security 537 7/15/2008 12:36 PM 6 *
Logon Failure:
Reason: An error occurred during logon
User Name: Administrator
Domain: BDRN
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC00002EE
Substatus code: 0x0
--------------------------
What are these error messages and how do I resolve it so it does not show up again?
All help will greatly appreciated and awarded.
Exchange 2003.
Outlook 2003.
Every morning I get my Server Performance Report with the two same following error messages in the Critical Errors In Security Log:
Error #1 usually the domain name changes:
Source Event ID Last Occurrence Total Occurrences
Security 529 7/15/2008 3:31 PM 6 *
Logon Failure:
Reason: Unknown user name or bad password
User Name: McAfeeMVSUser
Domain: PHARMACY2
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: PHARMACY2
--------------------------
Error message # 2
Source Event ID Last Occurrence Total Occurrences
Security 537 7/15/2008 12:36 PM 6 *
Logon Failure:
Reason: An error occurred during logon
User Name: Administrator
Domain: BDRN
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC00002EE
Substatus code: 0x0
--------------------------
What are these error messages and how do I resolve it so it does not show up again?
All help will greatly appreciated and awarded.
SBS
Last Comment
j_rameses
ASKER
MPECInc,
What does "ADUC" stand for and where is it?
What is "A/V" when you refer to it in "McAfee A/V" in the first sentence?
What other services would be the problem?
Regarding to the second one the link brings me to a page with nothing on how to solve the problem.
The first thing it mentions is : "If you are getting event errors 537 and throwing off Kerberos errors, ensure that your clients are time sync'd with the domain controller."
How do I do that?
What does "ADUC" stand for and where is it?
What is "A/V" when you refer to it in "McAfee A/V" in the first sentence?
What other services would be the problem?
Regarding to the second one the link brings me to a page with nothing on how to solve the problem.
The first thing it mentions is : "If you are getting event errors 537 and throwing off Kerberos errors, ensure that your clients are time sync'd with the domain controller."
How do I do that?
ASKER
MPECInc,
Regarding the error message #2, it changes everyday between four users.
One day is one user the next day is another user.
I checked the client PCs and the time and date are correct.
They match the server.
Regarding the error message #2, it changes everyday between four users.
One day is one user the next day is another user.
I checked the client PCs and the time and date are correct.
They match the server.
ASKER
Philip,
When I check for the time zone in the server i am double-clicking on the time that is located on the lower far right part of the screen that is always visible.
Is that where you confirm the time synch?
When I check for the time zone in the server i am double-clicking on the time that is located on the lower far right part of the screen that is always visible.
Is that where you confirm the time synch?
ASKER
Philip,
When I search the net I get many references to the folllowing:
"net time
net time /setsntp:
w32tm /resync
---
on your SBS 2003 server:
1. Check the time zone setting. Make sure the time zone setting is correct.
2. Make sure the Windows Time Service's startup is set as 'Automatic'.
3. Start-->Run-->Type 'regedit' (without the quotation marks) and press
Enter. In the Registry Editor, navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\
In the right panel, double-click 'Type'. If the value data is 'NoSync', change it to 'Nt5DS'.
Go to services console and restart the Windows Time Service."
Is it safe to run this?
Is it done from the command line?
Also, my TYPE does not say 'NoSync' it says "NTP", can this be the source of the problem?
When I search the net I get many references to the folllowing:
"net time
net time /setsntp:
w32tm /resync
---
on your SBS 2003 server:
1. Check the time zone setting. Make sure the time zone setting is correct.
2. Make sure the Windows Time Service's startup is set as 'Automatic'.
3. Start-->Run-->Type 'regedit' (without the quotation marks) and press
Enter. In the Registry Editor, navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\
In the right panel, double-click 'Type'. If the value data is 'NoSync', change it to 'Nt5DS'.
Go to services console and restart the Windows Time Service."
Is it safe to run this?
Is it done from the command line?
Also, my TYPE does not say 'NoSync' it says "NTP", can this be the source of the problem?
ASKER
Philip,
Any answers?
Any answers?
Did you manage to get rid of the McAfee one?
Kerberos is very time sensitive ... did you verify that the SBS box is connected to time.windows.com for its time reference? This is the default behaviour out of the box.
All of your Windows client machines should be receiving their time from the SBS box which is receiving it from time.windows.com.
Philip
Kerberos is very time sensitive ... did you verify that the SBS box is connected to time.windows.com for its time reference? This is the default behaviour out of the box.
All of your Windows client machines should be receiving their time from the SBS box which is receiving it from time.windows.com.
Philip
ASKER
Should I delete MCAfee from all computers and do a restart and then a clean re-install?
One day is one machine the next is another machine.
How do I verify that the SBS box is connected to time.windows.com for its time reference?
How do I confirm that all the clients are receiving the time fromthe SBS box?
One day is one machine the next is another machine.
How do I verify that the SBS box is connected to time.windows.com for its time reference?
How do I confirm that all the clients are receiving the time fromthe SBS box?
No.
Use the net time command to verify the settings.
Some Kerberos messages will happen ... we see them almost regularly on our SBS setups. The only time you should be truly concerned is when client machines are no longer connecting because they fall out of time synch with the server by 5 minutes or more.
Your clocks on the client machines will all be the same as the servers. Again, net time at the command prompt.
Philip
Use the net time command to verify the settings.
Some Kerberos messages will happen ... we see them almost regularly on our SBS setups. The only time you should be truly concerned is when client machines are no longer connecting because they fall out of time synch with the server by 5 minutes or more.
Your clocks on the client machines will all be the same as the servers. Again, net time at the command prompt.
Philip
ASKER
Philip, I did the net time at the command prompt on both the a client machine and the server and the time matches.
The error message did not come up on todays report but it probably will come up on tomorrows report.
Is there a reason why that happens?
The same thing goes with the McAfee error message, it did not show up on the server performance report today.
When the message comes up on the report it is always both of them.
Is there some type of relation to why they both show up together?
The error message did not come up on todays report but it probably will come up on tomorrows report.
Is there a reason why that happens?
The same thing goes with the McAfee error message, it did not show up on the server performance report today.
When the message comes up on the report it is always both of them.
Is there some type of relation to why they both show up together?
Over time, you will get to know your servers that you are monitoring. Each will have its own relatively unique combination of errors in the daily reports. Once the patterns have been established, then you can look for anomolies.
Ah, yes, they would be tied together ... not too familiar with McAfee ... but have a look in their knowledgebase to see if there is anything relative to those errors.
Philip
Ah, yes, they would be tied together ... not too familiar with McAfee ... but have a look in their knowledgebase to see if there is anything relative to those errors.
Philip
ASKER
For now, when ever I get the error message of McAfee for a specific user, should I delete the software and then re-install it? Before installation, should I clean the registry? Or should I keep a log to see which of the clients are being mentioned on the report and then do a clean install of the software?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Philip,
I guess if McAfee does not have a fix I should not worry about it?
It still does not explain why only a select number of clients are included on the report and not others.
I will give McAfee a call to see what is going on.
Will keep you posted.
I guess if McAfee does not have a fix I should not worry about it?
It still does not explain why only a select number of clients are included on the report and not others.
I will give McAfee a call to see what is going on.
Will keep you posted.
ASKER
Philip,
I contacted McAfee and they informed me I should disable the McafeeMVSUser from My computer-->Right-Click-->M
I did this yesterday and my report from today did not have the McAfee error.
Will Keep you in a couple of days if it appears or not.
I contacted McAfee and they informed me I should disable the McafeeMVSUser from My computer-->Right-Click-->M
I did this yesterday and my report from today did not have the McAfee error.
Will Keep you in a couple of days if it appears or not.
Sounds fair.
Philip
Philip
ASKER
Today is day # 2 and it did not show up.
ASKER
Philip,
Thank you for assistance.
I have not received any more of these errors.
For anyone who is looking for the solution read this in its entirety.
I am giving Philip credit to him for helping and guiding towards calling McAfee and letting me know what the problem is. The solution is on one of my post which is to disable the McAfeeMVSUser.
Thank you for assistance.
I have not received any more of these errors.
For anyone who is looking for the solution read this in its entirety.
I am giving Philip credit to him for helping and guiding towards calling McAfee and letting me know what the problem is. The solution is on one of my post which is to disable the McAfeeMVSUser.
You may need to reinstall the product, or uninstall, cleanse, then reinstall it again to get the message to disappear.
For the second one:
http://msmvps.com/blogs/bradley/archive/2004/01/22/1995.aspx
Philip