Thousands of 537 errors in security log

Where running SBS2003 and for the past few weeks have been getting between 1500 and 2500 537 errors in the security log, details below. Nothing has really changed on the system, no passwords have been changed.

How can I sort this out?


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      537
Date:            23/04/2009
Time:            08:33:41
User:            NT AUTHORITY\SYSTEM
Computer:      (SBS machine name)
Description:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Èùñ xu| (This changes on each occurance but is similar to this)
       Authentication Package:      NTLM
       Workstation Name:      
       Status code:      0x80090308
       Substatus code:      0x0
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
SJHAsked:
Who is Participating?
 
pAceMakerNZConnect With a Mentor Desktop Support Commented:
If you are running Trend Micro AV
Try the following:

1.In ADUC: Create a new User: Trend and set password: 0hReally?
2.Add the user to Internet Users for SBS 2003 Premium to allow access through ISA.
3.Set the username and password to Trend's Web Reputation proxy settings.

Found at:
http://blog.mpecsinc.ca/2008/10/sbs-event-id-537-ntlm-logon-errors.html
http://blog.mpecsinc.ca/2008/07/sbs-trend-worry-free-business-security.html
http://blog.mpecsinc.ca/2008/10/sbs-event-id-537-ntlm-logon-errors_04.html
0
 
numero_unoCommented:
If the "Logon Failure Auditing" local policy is in use on a Windows XP-based computer that is a member of a domain, the entry may be recorded in the Security event log if you log on to the local computer instead of to the domain.
Please ensure that you have the latest Service Pack for windows installed. There is also a Hotfix for the same
Please refer to the MICROSOFT OFFICIAL article for the same.
http://support.microsoft.com/kb/327889
0
 
SJHAuthor Commented:
Pretty sure that isn't the cause, the details in the log arn't the same as those shown in the KB - any other suggestions?
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Aztec ComputersCommented:
Have you got any users who have stored a network password into their Windows account for a network share, ticked the box to remember the password and then changed their password?
0
 
SJHAuthor Commented:
I don't believe so as we never change passwords at all
0
 
SJHAuthor Commented:
Anyone any ideas?
0
 
SJHAuthor Commented:
Anyone?
0
 
pAceMakerNZDesktop Support Commented:
I'm keeping an eye on this one. We have a client with the exact same problem.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      537
Date:            11/06/2009
Time:            4:31:50 p.m.
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER-01
Description:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Èù㣧
       Authentication Package:      NTLM
       Workstation Name:      
       Status code:      0x80090308
       Substatus code:      0x0
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
0
 
SJHAuthor Commented:
Finally fixed this thanks to pAceMakerNZ.

Created user called Trend in Active Directory Computers and Users with a password that doesn't expire etc. Note the total combined no. of characters in the user name and password must not be more than 14

Added this new user to the Internet Users group.


In Trend Dashboard go to Preferences_>Global Settings_Proxy
Tick Use a proxy server&.
Enter Address: as SBS server name
Port is 8080
User name Trend and password

Click Save

537 errors stop instantly.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.