Solved

Bombarded with 45000+ event ID from the same computer ?

Posted on 2016-09-25
10
61 Views
Last Modified: 2016-09-26
Hi All,

I'm getting bombarded with the below same System Event ID:

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          26/09/2016 9:53:23 PM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DCAPPIT03.MyDomain.com
Description:
A Kerberos error message was received:
 on logon session 
 Client Time: 
 Server Time: 11:44:25.0000 9/25/2016 Z
 Error Code: 0x29 KRB_AP_ERR_MODIFIED
 Extended Error: 
 Client Realm: 
 Client Name: 
 Server Realm: MyDomain.com
 Server Name: WS-WIN72230S$
 Target Name: 
 Error Text: 
 File: 3
 Line: 587
 Error Data is in record data.

Open in new window


This is from the System Event log in the past 2 days.

What does that means ?

The server getting bombarded is just the normal IT management server not domain controllers.
0
Comment
  • 5
  • 3
  • 2
10 Comments
 

Assisted Solution

by:chris-ce
chris-ce earned 250 total points
ID: 41815317
This looks like an issue with a stored password.  If there is a user with a stored password and that password has been changed, it can generate this event.  It could also be that there is a system service that is allowed to logon using an account with a stored password that has been changed.

Check to see if any users' passwords have been changed and, if so, update the stored versions in the Windows Credential Manager.

Hope this helps.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41815318
OK, Stored password in which computer or server ?
0
 

Expert Comment

by:chris-ce
ID: 41815345
If you're getting the Event ID 3 on the server, try starting there. But, if a user attempted to change a password from a workstation, it might be useful to check that as well.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41815385
The  request is coming from ws-WIN72230S, what does this system do? Check security event logs.
Double check whether the machine password changed.

Get ms account lockout tool., using eventmgmt that cones with that, you can collect/query security logs.  From systems.
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41815512
Arnold,

ws-WIN72230S is the workstation of remote user.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 76

Expert Comment

by:arnold
ID: 41817012
So you have the source of the request.
Check with the remote to see whether control keymgr.dll settings references/uses the wrong password.  
The amount of connections indicates something other than a remote connection, it seems closer to trying to access network resources/shares.
1
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41817165
OK, when I tried to RDP into the workstation, I got:

[Window Title]
Remote Desktop Connection

[Content]
An authentication error has occured.
The Local Security Authority cannot be contacted

Remote computer: WS-WIN72230S
This could be due to an expired password.
Please update your password if it has expired.
For assistance, contact your administrator or technical support.

[OK]

Open in new window

I was using DOMAIN\Administrator account to login to the computer.

Why is this happening ?
So far I can only use VNC to access thisold WIndows 7 computer that has never been patched or updated.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41817170
There is nothing on the Credential manager either:

Credentials Manager
This is the member of the Local Administrators group on the remote PC:
Local Administrators group
So how do I fix this issue if all of those user and Security group is seen as SID ?
0
 
LVL 76

Accepted Solution

by:
arnold earned 250 total points
ID: 41817216
The issue might be that there us an issue with the ad connection. The machine password that the computer has is different from the one in the AD.
Re-add the workstation into the domain.
You can use netdom on the computer to rejoin the domain,
1
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 41817230
Thanks !
it is resolved now after rejoining the domain.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now