MSAlways Posted March 28, 2009 Share Posted March 28, 2009 Hello,When I looked at the 2003 Server's Security Event Log, I saw loads of Event IDs 529 and 680, and the occasional 560. All of these are happening at times when the server is supposed to be inactive (ie early morning hours when I don't expect anyone to be accessing the server).After some searching on the Internet, looks like they were related to a previous Windows bug which should have been fixed with the latest updates we've applied already. However, it's still showing up and I'm not quite sure what to make out of it...... Any ideas?This apparently is causing some Kerberos authentication issues with my SQL Server Reporting Services website running on the server, resulting in either slow authentication or failure to authenticate. Previously this has been worked around by forcing the server to only work with NTLM. When we reverted it back to the default setting (ie to use Kerberos first if available), it worked fine for about a week or so until now. If anyone has any ideas, can you please shed some light? Thanks.Event ID 680Event Type: Failure AuditEvent Source: SecurityEvent Category: Account Logon Event ID: 680Date: 3/27/2009Time: 10:32:40 AMUser: NT AUTHORITY\SYSTEMComputer: host00032Description:Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ###ISS### Source Workstation: GVMHKHKGR4SC01 Error Code: 0xC0000064Event ID 529Event Type: Failure AuditEvent Source: SecurityEvent Category: Logon/Logoff Event ID: 529Date: 3/27/2009Time: 10:32:40 AMUser: NT AUTHORITY\SYSTEMComputer: host00032Description:Logon Failure: Reason: Unknown user name or bad password User Name: ###ISS### Domain: ##ISS## Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: GVMHKHKGR4SC01 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 172.28.167.32 Source Port: 0Event ID 560Event Type: Failure AuditEvent Source: SecurityEvent Category: Object Access Event ID: 560Date: 3/27/2009Time: 10:32:40 AMUser: NT AUTHORITY\ANONYMOUS LOGONComputer: host00032Description:Object Open: Object Server: Security Account Manager Object Type: SAM_SERVER Object Name: SAM Handle ID: - Operation ID: {0,55968296} Process ID: 424 Image File Name: C:\WINNT\system32\lsass.exe Primary User Name: host00032$ Primary Domain: APAC Primary Logon ID: (0x0,0x3E7) Client User Name: ANONYMOUS LOGON Client Domain: NT AUTHORITY Client Logon ID: (0x0,0x356020E) Accesses: EnumerateDomains LookupDomain Privileges: - Restricted Sid Count: 0 Access Mask: 0x30 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now