We help IT Professionals succeed at work.

How to troubleshoot failed login attempts on an MS Server

alan-blair
alan-blair asked
on
I have a client who gets a lot of reported failed login attempts with no user name on their server. Is there any way I can track which PC or service these attempts come from?

Server: SBS 2003

Report example, (23 events for this day):
------------------------------
Reason:      An error occurred during logon
User Name:       
Domain:       
Logon Type:      3
Logon Process:      Kerberos
Authentication Package:      Kerberos
Workstation Name:      -
Status code:      0xC000006D
Substatus code:      0xC0000133
Caller User Name:      -
Caller Domain:      -
Caller Logon ID:      -
Caller Process ID:      -
Transited Services:      -
Source Network Address:      192.168.0.62
Source Port:      3789
-------------------------------------

Comment
Watch Question

Sr. Network / Systems Admin
CERTIFIED EXPERT
Commented:
There should be other corrosponding events around this, but just from this, you know it's a network login (type 3), from the IP 192.168.0.62.

Status code:      0xC000006D means bad password or authentication info, and
Substatus code:      0xC000013 which means ' “The time at the primary domain controller is different from the time at the backup domain controller or member server by too large an amount.”  

First thing I'd check is that the computer at this IP has the correct time set.

Author

Commented:
Thanks for that,

Well, I should have seen that shouldn't I... Too quick to post a question without looking at the detail.

Thanks,
Alan Blair.

Author

Commented:
mugojava pointed out the obvious. I guess I was steering at the screen to long to see what was in front of me.
Kent WSr. Network / Systems Admin
CERTIFIED EXPERT

Commented:
Been there, done that!  Kinda gettin' the stares today... :)  glad I could help.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.