SBS Security Event: Failure Audit - How to I track source?

Posted on 2009-04-15
Last Modified: 2013-12-04
Hi Guys,

Every so often one of the SBS Servers we manage reports a series of failure audits (around 10-30 at a time). The usernames which appear are generally not in AD (So makes me think its some sort of dictionary attack?).   As shown in the example event below, there is no indication of source IP or Port (Caller Process ID seems to vary).

A bit of background on the server:

It is a SBS 2k3 R2 Server (behind a sonicwall) with the latest Microsoft updates (as of the beginning of April) and has only got RDP, SMTP and SSL being forwarded to it.

Can anyone provide me some advice on how to pin point where this attack is coming from? And what the attacker is trying to exploit?


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            <DATE>
Time:            <TIME>
User:            NT AUTHORITY\SYSTEM
Computer:      <SBS SERVER NAME>
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      <SERIES OF INVALID USER NAMES>
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      <SBS SERVER NAME>
       Caller User Name:      <SBS SERVER NAME>$
       Caller Domain:      <DOMAIN NAME>
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2868
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

For more information, see Help and Support Center at

Thanking you all in advance for any assistance provided.
Question by:sa1ntx
    LVL 37

    Accepted Solution

    hi sa1ntx,

    have you ever reviewed this KB?

    Kerberos Event ID: 529 is logged when you use a local user account to verify security access or group membership on a Windows Server 2003-based Kerberos client

    hope it helps,

    Author Closing Comment

    Hi Bbao, thanks for providing some assistance. It doesnt appear that the MS article resolves the issue we are currently having. However, since no one else has provided any assistance, Im awarding the points to you.

    Im actually going to log a ticket with microsoft and see if they can provide information on how to troubleshoot these types of errors.

    Thanks again mate.

    Featured Post

    Courses: Start Training Online With Pros, Today

    Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

    Join & Write a Comment

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now