Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 965
  • Last Modified:

Thousands of 537 errors in security log

Where running SBS2003 and for the past few weeks have been getting between 1500 and 2500 537 errors in the security log, details below. Nothing has really changed on the system, no passwords have been changed.

How can I sort this out?


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      537
Date:            23/04/2009
Time:            08:33:41
User:            NT AUTHORITY\SYSTEM
Computer:      (SBS machine name)
Description:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Èùñ xu| (This changes on each occurance but is similar to this)
       Authentication Package:      NTLM
       Workstation Name:      
       Status code:      0x80090308
       Substatus code:      0x0
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
SJH
Asked:
SJH
1 Solution
 
numero_unoCommented:
If the "Logon Failure Auditing" local policy is in use on a Windows XP-based computer that is a member of a domain, the entry may be recorded in the Security event log if you log on to the local computer instead of to the domain.
Please ensure that you have the latest Service Pack for windows installed. There is also a Hotfix for the same
Please refer to the MICROSOFT OFFICIAL article for the same.
http://support.microsoft.com/kb/327889
0
 
SJHAuthor Commented:
Pretty sure that isn't the cause, the details in the log arn't the same as those shown in the KB - any other suggestions?
0
 
Aztec ComputersCommented:
Have you got any users who have stored a network password into their Windows account for a network share, ticked the box to remember the password and then changed their password?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
SJHAuthor Commented:
I don't believe so as we never change passwords at all
0
 
SJHAuthor Commented:
Anyone any ideas?
0
 
SJHAuthor Commented:
Anyone?
0
 
pAceMakerNZDesktop Support Commented:
I'm keeping an eye on this one. We have a client with the exact same problem.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      537
Date:            11/06/2009
Time:            4:31:50 p.m.
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER-01
Description:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Èù㣧
       Authentication Package:      NTLM
       Workstation Name:      
       Status code:      0x80090308
       Substatus code:      0x0
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
0
 
pAceMakerNZDesktop Support Commented:
If you are running Trend Micro AV
Try the following:

1.In ADUC: Create a new User: Trend and set password: 0hReally?
2.Add the user to Internet Users for SBS 2003 Premium to allow access through ISA.
3.Set the username and password to Trend's Web Reputation proxy settings.

Found at:
http://blog.mpecsinc.ca/2008/10/sbs-event-id-537-ntlm-logon-errors.html
http://blog.mpecsinc.ca/2008/07/sbs-trend-worry-free-business-security.html
http://blog.mpecsinc.ca/2008/10/sbs-event-id-537-ntlm-logon-errors_04.html
0
 
SJHAuthor Commented:
Finally fixed this thanks to pAceMakerNZ.

Created user called Trend in Active Directory Computers and Users with a password that doesn't expire etc. Note the total combined no. of characters in the user name and password must not be more than 14

Added this new user to the Internet Users group.


In Trend Dashboard go to Preferences_>Global Settings_Proxy
Tick Use a proxy server&.
Enter Address: as SBS server name
Port is 8080
User name Trend and password

Click Save

537 errors stop instantly.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now