Anti-Mhz
asked on
Windows 2003 Event Viewer > Security > Failure Audit > Event id 537
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 3/16/2011
Time: 7:18:05 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.0.1.4
Source Port: 17981
I have 19 occurences within last 72 hours
10.0.1.4 detected as Netgear,In:00:AF:09
I have only one NetGear product in the network and that would be Neatgear Prosfafe VPN Firewall FVS318, which I used to make an extra connection for a PC without ethernet jack
So what's going on here?
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 3/16/2011
Time: 7:18:05 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.0.1.4
Source Port: 17981
I have 19 occurences within last 72 hours
10.0.1.4 detected as Netgear,In:00:AF:09
I have only one NetGear product in the network and that would be Neatgear Prosfafe VPN Firewall FVS318, which I used to make an extra connection for a PC without ethernet jack
So what's going on here?
ASKER
source port varies from entry to entry
18276
17981
17924
0
18429
17982
17976
18381
18384
18373
17930
18303
which falls into range of 17924-18429, which is not of any known allowed services listed on router.
-noticed that the router password was set as default, changed
18276
17981
17924
0
18429
17982
17976
18381
18384
18373
17930
18303
which falls into range of 17924-18429, which is not of any known allowed services listed on router.
-noticed that the router password was set as default, changed
Do you have a mix of 2003 & 2008/R2 domain controllers?
ASKER
no, in this scenario theres only one DC and its running 2003 SP2
Are the user, workstation, and domain names actually blank like that? Is there a consistent time interval between the errors or are they pretty random? (sorry I only have questions at the moment)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER