?
Solved

Bombarded with 45000+ event ID from the same computer ?

Posted on 2016-09-25
10
Medium Priority
?
121 Views
Last Modified: 2016-09-26
Hi All,

I'm getting bombarded with the below same System Event ID:

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          26/09/2016 9:53:23 PM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DCAPPIT03.MyDomain.com
Description:
A Kerberos error message was received:
 on logon session 
 Client Time: 
 Server Time: 11:44:25.0000 9/25/2016 Z
 Error Code: 0x29 KRB_AP_ERR_MODIFIED
 Extended Error: 
 Client Realm: 
 Client Name: 
 Server Realm: MyDomain.com
 Server Name: WS-WIN72230S$
 Target Name: 
 Error Text: 
 File: 3
 Line: 587
 Error Data is in record data.

Open in new window


This is from the System Event log in the past 2 days.

What does that means ?

The server getting bombarded is just the normal IT management server not domain controllers.
0
Comment
  • 5
  • 3
  • 2
10 Comments
 

Assisted Solution

by:Chris Collins
Chris Collins earned 1000 total points
ID: 41815317
This looks like an issue with a stored password.  If there is a user with a stored password and that password has been changed, it can generate this event.  It could also be that there is a system service that is allowed to logon using an account with a stored password that has been changed.

Check to see if any users' passwords have been changed and, if so, update the stored versions in the Windows Credential Manager.

Hope this helps.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41815318
OK, Stored password in which computer or server ?
0
 

Expert Comment

by:Chris Collins
ID: 41815345
If you're getting the Event ID 3 on the server, try starting there. But, if a user attempted to change a password from a workstation, it might be useful to check that as well.
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
LVL 81

Expert Comment

by:arnold
ID: 41815385
The  request is coming from ws-WIN72230S, what does this system do? Check security event logs.
Double check whether the machine password changed.

Get ms account lockout tool., using eventmgmt that cones with that, you can collect/query security logs.  From systems.
1
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41815512
Arnold,

ws-WIN72230S is the workstation of remote user.
0
 
LVL 81

Expert Comment

by:arnold
ID: 41817012
So you have the source of the request.
Check with the remote to see whether control keymgr.dll settings references/uses the wrong password.  
The amount of connections indicates something other than a remote connection, it seems closer to trying to access network resources/shares.
1
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41817165
OK, when I tried to RDP into the workstation, I got:

[Window Title]
Remote Desktop Connection

[Content]
An authentication error has occured.
The Local Security Authority cannot be contacted

Remote computer: WS-WIN72230S
This could be due to an expired password.
Please update your password if it has expired.
For assistance, contact your administrator or technical support.

[OK]

Open in new window

I was using DOMAIN\Administrator account to login to the computer.

Why is this happening ?
So far I can only use VNC to access thisold WIndows 7 computer that has never been patched or updated.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41817170
There is nothing on the Credential manager either:

Credentials Manager
This is the member of the Local Administrators group on the remote PC:
Local Administrators group
So how do I fix this issue if all of those user and Security group is seen as SID ?
0
 
LVL 81

Accepted Solution

by:
arnold earned 1000 total points
ID: 41817216
The issue might be that there us an issue with the ad connection. The machine password that the computer has is different from the one in the AD.
Re-add the workstation into the domain.
You can use netdom on the computer to rejoin the domain,
1
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 41817230
Thanks !
it is resolved now after rejoining the domain.
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was recently poking around with LibreOffice and figured out how easy it is to add great vector clip art to one's own LibreOffice gallery collection.
You have missed a phone call. The number looks like it belongs to the bunch of numbers which your company uses. How to find out who has just called you?
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question