Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Hourly event ID:529 from one user in the Security Log  of the Exchange server

Posted on 2008-10-30
6
351 Views
Last Modified: 2012-05-05
We are running Exchange 2007.  Clients are Outlook 2007.  The user in question also uses ActiveSync from her "phone" which runs Windows Mobile to connect to email.   Two things are part of this problem.  The first to arise was that approximately once per hour there is a Logon Failure event 529 in the Security event log on the server running Exchange (and only Exchange).  Its full text is (xxxx's replace username and IP:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      xxxxx
       Domain:            SAMHC
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      SAMHC254
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      xxx.xxx.xxx.xxx       Source Port:      3794

The other part of this problem is that everytime the user opens Outlook she is challenged for a username/password.  If this is closed without entering information, Outlook appears to open normally.  If un/pwd is entered all appears the same.  While logged in as her, in  Control Panel/Mail  all the settings look normal.
0
Comment
Question by:Dgreenbaum
  • 4
  • 2
6 Comments
 
LVL 14

Accepted Solution

by:
dfxdeimos earned 500 total points
ID: 22846489
So the IP that you x'd out relates to her workstation IP? It seems some bad credentials may be getting cached here. Have you deleted her Outlook profile and recreated it?
0
 

Author Comment

by:Dgreenbaum
ID: 22851043
Those xxx's do represent the workstation's IP.   I logged in as the user and tried to work with the settings in Control Panel/Mail.  It wouldn't let me delete here Exchange account.  I was only able to Check Names, which it did successfully.  Is there somewhere else to "delete her Outlook profile" without adversely affecting her Exchange Maibox?
0
 
LVL 14

Assisted Solution

by:dfxdeimos
dfxdeimos earned 500 total points
ID: 22851627
You should be able to log in as the user and go to Control Panel -> Mail -> Profiles and delete the profile listed there. You can then re-open Outlook and it will prompt you to reconnect to her mailbox. Deleting and rebuilding the profile will not affect her Exchange mailbox.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Dgreenbaum
ID: 22852869
When I tried to delete the profile it tells me I need to create a local path for the Data Files.   Not wanting to mess with this I went looking for other Security possibilites.  Found the Email/Change email account/More Settings/Security.  On a lead from a web discussion I found, switched to NTLM authentication.  I'm waiting the hour to see if the 529 will stop.   If they do I'll back track to try and find the cause.
0
 

Author Comment

by:Dgreenbaum
ID: 22854863
The change to NTLM authentication on the local mail settings has stopped the Failed Authentication.  I don't have a clue to why that one user would have been causing those event ID: 529 or would require a different Security Setting.    As far as mail is concerned, users get their mail when it comes in.   I can't think of a "behind the scenes" authentication that occurrs each 60 minutes.  Any idea what it could have been?
0
 

Author Comment

by:Dgreenbaum
ID: 22870804
I
At this point I will close this question.  Still don't understand why one client on the network would have this problem.  There must be some situation going on that has yet to reveal itself
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question