What is locking out my windows accout while i'm using broadband to access my corporate network? (read on...)

Posted on 2008-11-18
Last Modified: 2013-12-29
3x a minute my DC security event log logs the following for one of my users:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            11/17/2008
Time:            3:44:48 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SBS
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      (i'm not showing you that!)
       Domain:            (i'm not showing you that!)
       Logon Type:      8
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      SBS
       Caller User Name:      SBS$
       Caller Domain:      (i'm not showing you that!)
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      6012
       Transited Services:      -
       Source Network Address:
       Source Port:      50652

the user of course is contantly getting locked out and...   As fate would have it, this user is the president of the company....

Now stick with me for a bit while I will appear to go on an irrelevant tangent :)

He's got this fancy new lenovo thinkpad that automatically determines the best of 3 possible ways to connect to the internet (which he in turn uses to VPN into the office).  Those 3 ways are wired lan (in the office), WIFI (in the office), or broadband (like a cellphone) which works pretty much anywhere.  The Source IP of the 'offending' security log event belongs to sprint.  Sprint is his broadband provider.  He also has a cellphone that checks our exchange server (an IPhone of course) but I think that is on the ATT network.  He also has a desktop PC.  So he's got like 5 ways to check his email.  So anyway - long story short - I think it's the verizone broadband connection that is doing it since the source IP belongs to verizon.  ....  either that or some hacker using the verizon network in the washington DC area :)

I can't find any information about port 50652 and can't figure out why he keeps getting locked out even though I think it has something to do with his thinkpad's broadband internet.  

Can anyone help me understand more that what I already do?  What is port 50652?   What might I look further into?

Thanks Much,

Russ White
Question by:casco32
    LVL 1

    Expert Comment

    Are there any stored usernames and passwords under the user account of one of his machines?
    I have seen users store domain credentials and then when the password expires they get locked out because they were not updated.
    LVL 77

    Expert Comment

    by:Rob Williams
    I agree with NJDEV1. It can often be due to something like Trend Micro antivirus having been set up with an admin account for updates. If the admin password has changed (not the users password) something like A/V will keep trying to get updates, and as a result keep trying to authenticate.

    Don't rule out the possibility of a hacker if you have external access to RWW or TS. Is it SBS premium with ISA?

    Author Comment

    Thanks for your inputs.
    It is not an expired password issue - i beat that possibility to death before posting.
    It's something on his mobile broadbrand.  The IP address it's coming from is an IP that belongs to the Verizon Mobile IP pool so I do not think it is a hacker.  It stopped for two days and then started again this morning at 1:50 am while the user was asleep and his laptop was asleep :|  it has something to do with verizon's mobile broadband software.  I think i worked around this issue and I don't really expect this question to get answered.
    LVL 77

    Accepted Solution

    There must be a logon, mapped drive, service, or similar configured on that unit with a wrong or expired password that keeps trying to reconnect.

    Author Closing Comment

    I think the issue was someone trying to hack.  it has gone away.  awarding robwill as he posted the most.  thanks much.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Messaging apps are amazing tools with the power to do a lot of good, but the truth is the process of collaborating with coworkers requires relationships established through meaningful communication - the kind of communication that only happens face-…
    PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now