Security Event failures 680 and 529 - Server 2k3 and XP

From: ServerDude (gallagauge_at_gmail.com)
Date: 02/09/05

  • Next message: John Guderian: "Re: Restore Default NTFS permissions on C:\ drive? Server 2003" 
    Date: 9 Feb 2005 13:32:58 -0800

    Server 2003 and Windows XP SP2.
    When I am logged into a PC with a local XP user account I am getting
    hundreds of logon failures in my Server security log - Events 680 and
    529.
    The PC is part of the domain, but the local user is not.

    Events in detail:
    _________________________________________________________
    Date: 11/19/04
    Time: 11:48:19AM
    Type: Failure Aud
    User: NT AUTHORITY/SYSTEM
    Computer: (Domain Controller)
    Source: Security
    Category: Account Logon
    Event ID: 680
    Description:
    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon account: (Any local user account currently logged in)
    Source Workstation: (PC Name)
    Error Code: 0xC000006A
    _________________________________________________________
    Date: 11/19/04
    Time: 11:48:19AM
    Type: Failure Aud
    User: NT AUTHORITY/SYSTEM
    Computer: (Domain Controller)
    Source: Security
    Category: Logon/Logoff
    Event ID: 529
    Description:
    Reason: Unknown user name or bad password
            User Name: (Any local user account currently logged in)
            Domain: (PC Name)
            Logon Type: 3
            Logon Process: NtLmSsp
            Authentication Package: NTLM
            Workstation Name: (PC Name)
    _________________________________________________________

    There are groups of 48 Event failures recorded during the same second.
    This occurs randomly throughout the entire day.

    I have read some posts regarding possible attacks using generic
    usernames but that cannot be the case here. I can configure a fresh
    install using a completely unique username, add the PC to the domain,
    and in a little while there are 48 failures from this username in my
    server security log.
    Microsoft Article 811082 seems to be similar but this is using a
    different Logon Process and these occur while logged in - not during
    the logon or logoff action.

    I have read about issues with NTLM and 2000 mixed mode environments but
    I am running Server 2003.
    I am still running at the interim functional level because of some
    older PC's on the domain. I don't get errors from those older
    PC's, only from XP.

    Has you seen this?
    Any suggestions?

    Thanks.
    ServerDude

  • Next message: John Guderian: "Re: Restore Default NTFS permissions on C:\ drive? Server 2003"

    Relevant Pages

    • Re: Users no longer authenticate on W2k-svr
      ... Prefix the username with the target machinename. ... "Jutta" wrote in message ... > The W2k server is a standalone server which is used for ... > c$] and I get a login prompt, I also cannot logon. ...
      (microsoft.public.win2000.networking)
    • Re: Error 691 with 2003 Server
      ... Verify the logon ID and password are correct. ... And I have configured>RRAS server for Dial-in connections. ... Nevertheless, when I try to connect from any win2k or>winXP client to that server, it gives a failure;> "Error 691: Access was denied because the username and/or password was> invalid on the domain." ...
      (microsoft.public.win2000.ras_routing)
    • Event ID 680 - 529 in Server Security Log
      ... Server 2003 and Windows XP SP2. ... Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ... There are groups of 48 Event failures recorded during the same second. ... there are 48 failures from this username in my server security log. ...
      (microsoft.public.windows.server.general)
    • Re: xp logon to w3k
      ... > I have a 20 user xppro/home network thats connected to 2003 std server ... > all workstations are named with user or job name in mind. ... > everybody used to have to logon with there username and password. ...
      (microsoft.public.windowsxp.general)
    • Single Sign On With ISA
      ... My web application sits on IIS located outside the domain. ... on IIS outside the domain) without having to go through the logon process ... That means the user's credential (username) must be send over to the ... Can Microsft ISA server solve the above mentioned scenario? ...
      (microsoft.public.isaserver)