Bombarded with 45000+ event ID from the same computer ?

Hi All,

I'm getting bombarded with the below same System Event ID:

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          26/09/2016 9:53:23 PM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DCAPPIT03.MyDomain.com
Description:
A Kerberos error message was received:
 on logon session 
 Client Time: 
 Server Time: 11:44:25.0000 9/25/2016 Z
 Error Code: 0x29 KRB_AP_ERR_MODIFIED
 Extended Error: 
 Client Realm: 
 Client Name: 
 Server Realm: MyDomain.com
 Server Name: WS-WIN72230S$
 Target Name: 
 Error Text: 
 File: 3
 Line: 587
 Error Data is in record data.

Open in new window


This is from the System Event log in the past 2 days.

What does that means ?

The server getting bombarded is just the normal IT management server not domain controllers.
LVL 9
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?
 
arnoldConnect With a Mentor Commented:
The issue might be that there us an issue with the ad connection. The machine password that the computer has is different from the one in the AD.
Re-add the workstation into the domain.
You can use netdom on the computer to rejoin the domain,
1
 
Chris CollinsConnect With a Mentor OwnerCommented:
This looks like an issue with a stored password.  If there is a user with a stored password and that password has been changed, it can generate this event.  It could also be that there is a system service that is allowed to logon using an account with a stored password that has been changed.

Check to see if any users' passwords have been changed and, if so, update the stored versions in the Windows Credential Manager.

Hope this helps.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
OK, Stored password in which computer or server ?
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
Chris CollinsOwnerCommented:
If you're getting the Event ID 3 on the server, try starting there. But, if a user attempted to change a password from a workstation, it might be useful to check that as well.
0
 
arnoldCommented:
The  request is coming from ws-WIN72230S, what does this system do? Check security event logs.
Double check whether the machine password changed.

Get ms account lockout tool., using eventmgmt that cones with that, you can collect/query security logs.  From systems.
1
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Arnold,

ws-WIN72230S is the workstation of remote user.
0
 
arnoldCommented:
So you have the source of the request.
Check with the remote to see whether control keymgr.dll settings references/uses the wrong password.  
The amount of connections indicates something other than a remote connection, it seems closer to trying to access network resources/shares.
1
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
OK, when I tried to RDP into the workstation, I got:

[Window Title]
Remote Desktop Connection

[Content]
An authentication error has occured.
The Local Security Authority cannot be contacted

Remote computer: WS-WIN72230S
This could be due to an expired password.
Please update your password if it has expired.
For assistance, contact your administrator or technical support.

[OK]

Open in new window

I was using DOMAIN\Administrator account to login to the computer.

Why is this happening ?
So far I can only use VNC to access thisold WIndows 7 computer that has never been patched or updated.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
There is nothing on the Credential manager either:

Credentials Manager
This is the member of the Local Administrators group on the remote PC:
Local Administrators group
So how do I fix this issue if all of those user and Security group is seen as SID ?
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks !
it is resolved now after rejoining the domain.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.