• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3493
  • Last Modified:

An error occured during logon username administrator domain companyweb Event 537

companyweb, for no apparent reason cannot be accessed from the server but its fine with all the clients

When I open Internet explorer, I am presented with a username and password box, so I put in my login details (Administrator + password) its comes back again with

companyweb\administrator and a blank password field, which I fill in again, and press okay and it just keeps looping

event log is

Logon Failure:
  Reason: An error occurred during logon
  User Name: administrator
  Domain: companyweb
  Logon Type: 3
  Logon Process: Èù’
  Authentication Package: NTLM
  Workstation Name: VLC-PDC
  Status code: 0xC000006D
  Substatus code: 0x0
  Caller User Name: -
  Caller Domain: -
  Caller Logon ID: -
  Caller Process ID: -
  Transited Services: -
  Source Network Address: 192.168.16.2
  Source Port: 3546

Company web is being used by all the users so uninstalling isnt an option.

anyone know the answer to this?
0
Laurence_L
Asked:
Laurence_L
1 Solution
 
mikeewaltonCommented:
Try putting in domain(your domain name)\administrator


0
 
roddinesCommented:
I have the same problem and putting in [domain]\administrator does not help
0
 
Laurence_LAuthor Commented:
Agreed that doesnt work, Im thinking this,
Under where it says logon process you see this "Èù’"

That clearly isnt right, so something somewhere is obvoiusly corrupt.
I have created a new administrator account and logged in with that and it still doesnt work, has the same error message the only difference is the user name.

I have also tried logging in using one of the users on the network and that doesnt work either.

What I cant understand is why does it work on all the clients, but NOT the server itself?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Laurence_LAuthor Commented:
Roddines, I just had a thought
How are you connecting to companyweb?
I am connecting via Remote desktop onto the server and havent actually tried it locally.
Im wondering if its RDC???
0
 
roddinesCommented:
Hi Laurence L

I am doing all this remote admin from Australia on a UK SBS 2003 server that is hosted in a VMWARE virtual server environment.  So actual local is not possible even if I was in UK.  But if I logon remotely to host VMWARE server than use local console equivalent I get the same problem.

I however after further investigation am not getting the event log entry as per your problem and cant find any event logging associated with the security.

What area of the event log was your appearing?  Application/System/IIS?
0
 
roddinesCommented:
The "companyweb, for no apparent reason cannot be accessed from the server but its fine with all the clients" is the key thing that is wierd.  I checked my IE7 Tools-Internet Options-Advanced-Security-Enable Integrated Windows Authentication and that is enabled.  And also installed IE8 to see if that fixed anything...but same problem.
0
 
roddinesCommented:
Its not really causing any issues for users so it just strange and I would dearly like to fix it on the server but can I justify spending hours and hours on it? Probably not!
0
 
Laurence_LAuthor Commented:
I just looked in the event logs its listed under Security / Event ID 537
I have just noticed that the source port number listed above as 3546 also comes up in subsequent event 537 entries as 2877, 2650, 1226, 3456 etc etc etc
and that the logon process in this case weird characters "Èù’ " also changes however every time it is "Èù***" with a different three strange characters
0
 
roddinesCommented:
Hmm looks like we have exact same problem....

The TCP Port number is random (hence varies every time which is normal) as generated from client (IE) source to fixed destination web server TCP port (80 in this case)

My errors show exactly same symptoms....

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      537
Date:            23/04/2009
Time:            18:19:29
User:            NT AUTHORITY\SYSTEM
Computer:      VWDSVR01
Description:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      Administrator
       Domain:            GRANTSELLERS
       Logon Type:      3
       Logon Process:      Èùa
       Authentication Package:      NTLM
       Workstation Name:      VWDSVR01
       Status code:      0xC000006D
       Substatus code:      0x0
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      172.16.1.2
       Source Port:      1592


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
roddinesCommented:
Searched GOOGLE for "Logon Process:      Èù" and found this

http://forums.techarena.in/small-business-server/1042060.htm

I too have recently upgraded this server from Trend Micro CSM 3.6 to WFBS.  Have you too?
 
0
 
roddinesCommented:
And more WORRY FREE BUSINESS SERVER.....NOT.........
http://forums.msrportal.com/archive/index.php?t-40704.html
0
 
roddinesCommented:
0
 
roddinesCommented:
0
 
roddinesCommented:
I tried this registry hack from the KB article referred to in above link
Note in below REG file code:
hex(7):63,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,77,\
  00,65,00,62,00,00,00,00,00 = "companyweb"

AND IT DOES NOT SEEM TO WORK

I also added "companyweb.[DOMAIN].local" and it did not work either.
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"BackConnectionHostNames"=hex(7):63,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,77,\
  00,65,00,62,00,00,00,00,00

Open in new window

0
 
roddinesCommented:
IT WORKS NOW but only with this registry change from

http://support.microsoft.com/kb/896861

Method 2: Disable the loopback check

I would prefer the more secure Method 1 option to list the server alias??? Maybe im missing something in this context.
I didnt reboot when trying Method 1 only IIS Admin Restart but I rebooted after Method 2 so that may be a factor.  Please let me know if you get Method 1 working!

THE REAL QUSETIONS HERE ARE: WHY DID THIS START HAPPENING ALL OF A SUDDEN?  IS IT RELATED TO TREND MICRO WFBS UPOGRADE/INSTALL?
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"DisableLoopbackCheck"=dword:00000001

Open in new window

0
 
Laurence_LAuthor Commented:
Just attempting it now!, sorry been so busy couldnt get back on to this untl now, results to be posted in 30 mins!
0
 
Laurence_LAuthor Commented:
Roddines - You are the Man!!!!!!!! Thanks dude, I cant believe you found the answer to that one, but you did, it worked and its definitely a problem solved! Thanks a lot for your time on this one.
0
 
Laurence_LAuthor Commented:
It worked!! amazing! thanks for your time on this one bro.

0
 
roddinesCommented:
Hi Laurence Glad it fixed your problem too.  Thanks for the points too.   It would be nice to know if your problem was caused by installing Trend Micro's Worry Free Business Server as you neglected to mention either way. Thanks!
0
 
Laurence_LAuthor Commented:
Sorry! I missed that out, No I didnt install anything at all from trend micro, infact what I had installed was a big batch of microsoft updates one of which I think was the cause of the problem

HERES THE LIST
KB -
958690
961064
960225
961063
959426
961373
961373
952004
960803
956572
923561
Also two hotfixes listed -
KB
954550 & 961118

after I rebooted, thats when it all went wrong, now another thing I didnt mention was, I also installed a new server for another customer at a completely different company, they already the first release of SBS 2003, so I installed that software and ran MS updates all night before I wanted it to go live.

The next day, this machine also had the same issue, and the last installs of anything were the above security patches.

I presumed this was an isolated case of outdated software, so ended up (After uninstalling and reinstalling companyweb without success) to re install SBS again. now when this happened again on a server that has been running well for over a year, it could only be the one thing which was one of the security patches, which one, I have no idea. But again thanks to you, I dont care how many times it happens, now as I have a fix! :-) as for the points, You are very welcome!



0
 
roddinesCommented:
Thanks for the detailed update I am sure it will help someone if not us again in the future. Cheers!
0
 
seradminCommented:
I had the same error and used Method 1 of the above mentioned KB thanks to this thread, so thank you!!
I have a Virtual Server running this and the most recent change was Windows Updates.  No Trend Micro.

I rebooted after modifying the registry with the host names and that worked.  I added both the FQDN and the 'common url' host name to the BackConnectionHostNames key.

Thanks again!
0
 
roddinesCommented:
Thanks for the feedback on Method 1 which I will retry at some point I appreciate it and glad it worked for you! Cheers!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now