Failure Audit for Logon Process Advapi

Posted on 2011-04-26
Last Modified: 2012-06-27
I have a mixed Server 2003 and Server 2008 environment across 4 offices. Every 15 minutes on my main domain controller (Server 2003) I am getting a Failure Audit, eventID 529, that reads something like this (words in capitals have been changed to generic):

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      DOMAIN ADMIN
       Domain:            DOMAIN
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      2003 DOMAIN CONTROLLER
       Caller User Name:      2003 DOMAIN CONTROLLER$
       Caller Domain:      DOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      572
       Transited Services:      -
       Source Network Address:      OLD EXCHANGE SERVER / ANTI VIRUS SERVER
       Source Port:      4063 - PORT ALWAYS CHANGES

I also see this error on the other domain controllers (all 2008 machines), though not nearly as often, maybe once a day. However, they read a little different. Something like this:

An account failed to log on.

      Security ID:            SYSTEM
      Account Name:            2008 DOMAIN CONTROLLER$
      Account Domain:            DOMAIN
      Logon ID:            0x3e7

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            DOMAIN ADMIN
      Account Domain:            DOMAIN

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x298
      Caller Process Name:      C:\Windows\System32\lsass.exe

Network Information:
      Workstation Name:      2008 DOMAIN CONTROLLER
      Source Network Address:      OLD EXCHANGE SERVER / ANTI VIRUS SERVER
      Source Port:            4110

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

The source is IP is always the OLD EXCHANGE SERVER / ANTI VIRUS SERVER (but the workstation name is always the DC). All exchange services on that box are disabled and no longer in use including SMTP. The anti virus processes are all using the local service account. I've looked through all the services on the OLD EXCHANGE SERVER / ANTI VIRUS SERVER and none are using the DOMAIN ADMIN account.

Any idea what could be causing these errors? The OLD EXCHANGE SERVER / ANTI VIRUS SERVER is in the same office as the 2003 DOMAIN CONTROLLER and that is the only server it gets logged every 15 minutes on the dot. I've searched Google for these errors but nothing really seems to apply to my situation. No services seem to be causing it, the IIS settings look correct, and I'm running out of things to look for. Any help would be appreciated. Thanks.
Question by:BigZWillis
    LVL 16

    Expert Comment

    I would check the Security Event log on the old exchange server.

    Recently, we found a similar series of errors when a user was having issues with getting locked out a lot.  I found those events on one of our domain controllers, but our messages mentioned our production exchange server.  When I checked for a similar error on the exchange server at the same time stamp, I found a series of "failure audit" and "success audit" messages that gave me the name of the system from which the bad password attempt was originating.

    In another case, it only gave me the IP address, but using that information we were able to figure that the user had configured an Outlook profile on that PC before he had changed his password.  It wasn't a computer he used anymore, so his account was getting locked out every time Outlook tried to connet using that other PC because it had a bad password.  The local IT staff resolved the problem by removing his Outlook profile from that PC.

    I hope this helps.


    Author Comment

    Thanks for the reply... Unfortunantly that doesn't seem to be my situation. I have looked at the logs on the old Exchange server and nothing seems to match up. In addition all Exchange services on the server are no longer running. Exchange has been moved to a hosted solution... This server is basically just an anti virus server at this point. Thanks.

    Author Comment

    I turned on some more auditing and found another error to go along with the first, this happens every 15 minutes as well. There are about 20 of these logged at once every 15 minutes. They go something like this (Event ID 675)

    Pre-authentication failed:
           User Name:      DOMAIN ADMIN
           User ID:            DOMAIN\DOMAIN ADMIN
           Service Name:      krbtgt/DOMAIN
           Pre-Authentication Type:      0x2
           Failure Code:      0x18
           Client Address:      OLD EXCHANGE SERVER / ANTI VIRUS SERVER

    Does that help?

    LVL 16

    Expert Comment

    It must be a service or a scheduled task that's running on a regular basis which is trying to use out of date credentials.

    What is "krbtgt"?  Is that the name of a service or system?

    Author Comment

    It's the Key distribution service center account. I've checked all services and tasks... That was my first thought. There isn't a single service running on OLD EXCHANGE SERVER / ANTI VIRUS SERVER that isn't using either the local system or network service account. And the only scheduled task is a daily backup that is not have issues. There also are no services on the sever set to run as the domain admin, so that is why I'm having issues tracking it down...

    Author Comment


    Accepted Solution

    It turns out this was OpManager that was causing the issue. This program hadn't been used in years but was still running on the old server and trying to get info about every server every 15 minutes. I uninstalled the program and all is good now. Thanks for the help.

    Author Closing Comment

    It worked

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Suggested Solutions

    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    Learn about cloud computing and its benefits for small business owners.
    This tutorial will walk an individual through the process of upgrading their existing Backup Exec 2012 to 2014. Either install the CD\DVD into the drive and let it auto-start, or browse to the drive and double-click the Browser file: Select the ap…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now