We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


Failure Audit for Logon Process Advapi

Medium Priority
Last Modified: 2012-06-27
I have a mixed Server 2003 and Server 2008 environment across 4 offices. Every 15 minutes on my main domain controller (Server 2003) I am getting a Failure Audit, eventID 529, that reads something like this (words in capitals have been changed to generic):

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      DOMAIN ADMIN
       Domain:            DOMAIN
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      2003 DOMAIN CONTROLLER
       Caller User Name:      2003 DOMAIN CONTROLLER$
       Caller Domain:      DOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      572
       Transited Services:      -
       Source Network Address:      OLD EXCHANGE SERVER / ANTI VIRUS SERVER
       Source Port:      4063 - PORT ALWAYS CHANGES

I also see this error on the other domain controllers (all 2008 machines), though not nearly as often, maybe once a day. However, they read a little different. Something like this:

An account failed to log on.

      Security ID:            SYSTEM
      Account Name:            2008 DOMAIN CONTROLLER$
      Account Domain:            DOMAIN
      Logon ID:            0x3e7

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            DOMAIN ADMIN
      Account Domain:            DOMAIN

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x298
      Caller Process Name:      C:\Windows\System32\lsass.exe

Network Information:
      Workstation Name:      2008 DOMAIN CONTROLLER
      Source Network Address:      OLD EXCHANGE SERVER / ANTI VIRUS SERVER
      Source Port:            4110

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

The source is IP is always the OLD EXCHANGE SERVER / ANTI VIRUS SERVER (but the workstation name is always the DC). All exchange services on that box are disabled and no longer in use including SMTP. The anti virus processes are all using the local service account. I've looked through all the services on the OLD EXCHANGE SERVER / ANTI VIRUS SERVER and none are using the DOMAIN ADMIN account.

Any idea what could be causing these errors? The OLD EXCHANGE SERVER / ANTI VIRUS SERVER is in the same office as the 2003 DOMAIN CONTROLLER and that is the only server it gets logged every 15 minutes on the dot. I've searched Google for these errors but nothing really seems to apply to my situation. No services seem to be causing it, the IIS settings look correct, and I'm running out of things to look for. Any help would be appreciated. Thanks.
Watch Question

Spike99On-Site IT Technician

I would check the Security Event log on the old exchange server.

Recently, we found a similar series of errors when a user was having issues with getting locked out a lot.  I found those events on one of our domain controllers, but our messages mentioned our production exchange server.  When I checked for a similar error on the exchange server at the same time stamp, I found a series of "failure audit" and "success audit" messages that gave me the name of the system from which the bad password attempt was originating.

In another case, it only gave me the IP address, but using that information we were able to figure that the user had configured an Outlook profile on that PC before he had changed his password.  It wasn't a computer he used anymore, so his account was getting locked out every time Outlook tried to connet using that other PC because it had a bad password.  The local IT staff resolved the problem by removing his Outlook profile from that PC.

I hope this helps.



Thanks for the reply... Unfortunantly that doesn't seem to be my situation. I have looked at the logs on the old Exchange server and nothing seems to match up. In addition all Exchange services on the server are no longer running. Exchange has been moved to a hosted solution... This server is basically just an anti virus server at this point. Thanks.


I turned on some more auditing and found another error to go along with the first, this happens every 15 minutes as well. There are about 20 of these logged at once every 15 minutes. They go something like this (Event ID 675)

Pre-authentication failed:
       User Name:      DOMAIN ADMIN
       User ID:            DOMAIN\DOMAIN ADMIN
       Service Name:      krbtgt/DOMAIN
       Pre-Authentication Type:      0x2
       Failure Code:      0x18

Does that help?

Spike99On-Site IT Technician

It must be a service or a scheduled task that's running on a regular basis which is trying to use out of date credentials.

What is "krbtgt"?  Is that the name of a service or system?


It's the Key distribution service center account. I've checked all services and tasks... That was my first thought. There isn't a single service running on OLD EXCHANGE SERVER / ANTI VIRUS SERVER that isn't using either the local system or network service account. And the only scheduled task is a daily backup that is not have issues. There also are no services on the sever set to run as the domain admin, so that is why I'm having issues tracking it down...


Unlock this solution with a free trial preview.
(No credit card required)
Get Preview


It worked
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.