Event ID 680 - 529 in Server Security Log

From: ServerDude (ServerDude_at_discussions.microsoft.com)
Date: 11/19/04 

Date: Fri, 19 Nov 2004 12:29:05 -0800

Server 2003 and Windows XP SP2.
When I am logged into a PC with a local XP user account I am getting
hundreds of logon failures in my Server security log - Events 680 and 529.
The PC is part of the domain, but the local user is not.

Events in detail:
_________________________________________________________
Date: 11/19/04
Time: 11:48:19AM
Type: Failure Aud
User: NT AUTHORITY/SYSTEM
Computer: (Domain Controller)
Source: Security
Category: Account Logon
Event ID: 680
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: (Any local user account currently logged in)
Source Workstation: (PC Name)
Error Code: 0xC000006A
_________________________________________________________
Date: 11/19/04
Time: 11:48:19AM
Type: Failure Aud
User: NT AUTHORITY/SYSTEM
Computer: (Domain Controller)
Source: Security
Category: Logon/Logoff
Event ID: 529
Description:
Reason: Unknown user name or bad password
        User Name: (Any local user account currently logged in)
        Domain: (PC Name)
        Logon Type: 3
        Logon Process: NtLmSsp
        Authentication Package: NTLM
        Workstation Name: (PC Name)
_________________________________________________________

There are groups of 48 Event failures recorded during the same second. This
occurs randomly throughout the entire day.

I have read some posts regarding possible attacks using generic usernames
but that cannot be the case here. I can configure a fresh install using a
completely unique username, add the PC to the domain, and in a little while
there are 48 failures from this username in my server security log.
Microsoft Article 811082 seems to be similar but this is using a different
Logon Process and these occur while logged in – not during the logon or
logoff action.

I have read about issues with NTLM and 2000 mixed mode environments but I am
running Server 2003.
I am still running at the interim functional level because of some older
PC’s on the domain. I don’t get errors from those older PC’s, only from XP
local users.

Has you seen this?
Any suggestions?

Thanks.
ServerDude

Relevant Pages

  • Re: Users no longer authenticate on W2k-svr
    ... Prefix the username with the target machinename. ... "Jutta" wrote in message ... > The W2k server is a standalone server which is used for ... > c$] and I get a login prompt, I also cannot logon. ...
    (microsoft.public.win2000.networking)
  • Security Event failures 680 and 529 - Server 2k3 and XP
    ... Server 2003 and Windows XP SP2. ... Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ... There are groups of 48 Event failures recorded during the same second. ... install using a completely unique username, add the PC to the domain, ...
    (microsoft.public.windows.server.general)
  • Re: Error 691 with 2003 Server
    ... Verify the logon ID and password are correct. ... And I have configured>RRAS server for Dial-in connections. ... Nevertheless, when I try to connect from any win2k or>winXP client to that server, it gives a failure;> "Error 691: Access was denied because the username and/or password was> invalid on the domain." ...
    (microsoft.public.win2000.ras_routing)
  • Re: xp logon to w3k
    ... > I have a 20 user xppro/home network thats connected to 2003 std server ... > all workstations are named with user or job name in mind. ... > everybody used to have to logon with there username and password. ...
    (microsoft.public.windowsxp.general)
  • Single Sign On With ISA
    ... My web application sits on IIS located outside the domain. ... on IIS outside the domain) without having to go through the logon process ... That means the user's credential (username) must be send over to the ... Can Microsft ISA server solve the above mentioned scenario? ...
    (microsoft.public.isaserver)