Solved

Failed NtLmSsp Logon Processes

Posted on 2013-05-22
4
2,773 Views
Last Modified: 2013-07-29
We have a very odd failed NtLmSsp login issue. Everyday at 11:35 PM EDT we get an alert generated in LabTech.

These failed logins are generated by only three machines. A Server 2008, a Win 7 machine, and a Win XP machine. The Win 7 and Win XP machines are both NOT joined to the domain. The Server 2008 is joined to the domain.

The events all happen at 11:35AM or 11:35PM. They happen on different servers at the same time by the same machine and sometimes happen at the same time on different servers by one of each machine. Sometimes we'll go for 2-3 days without getting one of these events. Sometimes only one machine will generate the event.

We're completely stumped by this. Can anyone help or does anyone have any ideas what could be causing this? We have looked in task scheduler for clues, but nothing so far. Also have tried procmon at 11:30pm to log any traffic, but didn't see anything and no event had been created on that night.


Event for Server 2008 machine:
EV - Failed Logins* FAILED on MRM at NY for Logon Failure:

Reason: Unknown user name or bad password

User Name: arrcnetadmin

Domain: BDRCW0003675

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: BDRCW0003675

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 192.168.5.210

Source Port: 61353
result Security.:856


Event for Win 7 machine:
EV - Failed Logins* FAILED on MRM at NY for Logon Failure:

Reason: Unknown user name or bad password

User Name: volunteers

Domain: W7-VOLUNTE

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: W7-VOLUNTE

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 192.168.5.195

Source Port: 0
result Security.


Event for Win XP machine:
EV - Failed Logins* FAILED on MRM at NY for Logon Failure:

Reason: Unknown user name or bad password

User Name: pos

Domain: POS

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: POS

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 192.168.5.240

Source Port: 0
result Security.
0
Comment
Question by:btny
  • 3
4 Comments
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 500 total points
ID: 39189777
Sounds like a backup script with old credentials
0
 

Author Comment

by:btny
ID: 39207829
That  sounds plausible, but all of the login requests aren't coming from our backup appliance. The requests are coming from the backup appliance, a win 2003 server, and an xp machine. XP machine isn't even joined to the domain.
0
 

Author Comment

by:btny
ID: 39317494
We are still investigating where this came from
0
 

Author Closing Comment

by:btny
ID: 39364172
It's possible, but we're pursuing this further with our backup service.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ensuring effective and secure communication in the age of healthcare BYOD.
On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question