Solved

On a Windows XP PC seeing Security Event 529 logon failures along with cooresponding "122 KRB Error: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" Wireshark packets

Posted on 2011-09-30
1
892 Views
Last Modified: 2012-05-12
Seeing spurts of Event ID 529 logon failures on a workstation at a remote office. An example of one of the events is included below. We will see the better part of several hundred per day and the time ranges vary when they appear. The username on a large number of these events show "administrator" or "admin" and other times show random user names. This has all the appearances of a dictionary attack and we originally found this via an audit of our Domain Controller security logs. The computer name listed on the event ID's always indicate the local computer name.

We have run various anti-virus and anti-spyware applications on the workstation but all have come up clean.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            9/30/2011
Time:            8:44:43 AM
User:            NT AUTHORITY\SYSTEM
Computer:      "WORKSTATION NAME"
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      david
       Domain:            "DOMAIN NAME"
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      "WORKSTATION NAME"

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Installed Wireshark and have matched up activity from the captured packet dumps to the event ID failures
0
Comment
Question by:haloexpertsexchange
1 Comment
 
LVL 10

Accepted Solution

by:
yasserd earned 500 total points
ID: 36898766
The login attemps are from a remote machine. That's what logon "type 10" means. The workstation name could mean the workstaion where the event occured. So, you need to investigate.

http://www.windowsecurity.com/articles/Logon-Types.html

http://technet.microsoft.com/en-us/library/cc765981(WS.10).aspx
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Utilities to reset local Win 10 passwords 13 121
How to implement SSO? 22 80
Thin secure Windows 10 5 75
SQL management studio fails to connect after Triple DES cipher disabled. 6 66
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now