Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Event id; 529 MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Posted on 2008-10-11
7
Medium Priority
?
5,327 Views
Last Modified: 2013-11-08
I m getting the following error evry night around 8PM on a Domain Controller running SBS 2003
The ID, Support, is a domain admin
There are sometimes 7 - 700 security errors.
From my research, it couod be application, or a "Hack Attack"
How can I identify, and resolve this problen.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            10/10/2008
Time:            9:08:18 AM
User:            NT AUTHORITY\SYSTEM
Computer:      Servername
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Support
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      Servername
       Caller User Name:      Servername$
       Caller Domain:      Domain
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      4696
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
0
Comment
Question by:cookd47
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 22695958
Could be a service trying to log on with incorrect credentials. Have a look in the eventlog for any other errors.
Be a good idea to run a virus scan just in case.
Olaf
0
 

Author Comment

by:cookd47
ID: 22785138
Title:Event id; 529 MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Administrator login failed 1027 times between 2000 last nigt and 0400 this morning. We normally get between 6 -12 event 529 evary night

I will reward 1000 points for a solution.
How can we trace the source of this event?
There is nothing in the SonicWall log that suggest a "Brute Force" hack attempt
0
 
LVL 10

Expert Comment

by:anupnellip
ID: 22788626
this could also be a backup job trying to run using the support username
check all the task on the server . check if you see any task runnin at 8 . check the user name user to run the task .
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 

Author Comment

by:cookd47
ID: 22789247
I suspect that it is the backup, but am unable to find an error in the backup log, or windows log (other than security events). The backup takes most of the night. they have an application that backs uo a database as well. Most nights we only get a few errors, but about every 8 - 10 days we get 600 - 1100 events. It is almost certainly an application/backup issue; I would like to track it down, document the cause, and present it to the client, who believes that Hackers are after his system.
0
 
LVL 10

Accepted Solution

by:
anupnellip earned 2000 total points
ID: 22790724
no hacker here , what backup do they use ? can you check the user name used for backup
Is the backup running from the same server ? the evet log shows the Workstation name for the network logon , is it the backup server. you should look at that machine , if it is the same server then either it is a service or a net share that was user to earier
try typing the command
net use
if you find any device use
net use /delete
probably someune used the ceredentials to map drive on the network ?

you could also check this from the under management &; shares and  active sesssions
0
 

Author Closing Comment

by:cookd47
ID: 31505295
There was a drive mapped prior to the last password change
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question