RE: Security Log: Event ID 537 issue

Hi Mike,

Thank you for posting in SBS newsgroup.

According to your post, I understand that you get the Event ID 537 on SBS
server's security log.

Because the Windows XP computer tries to use Kerberos authentication before
using NTLM authentication, the computer tries to contact the SBS 2003
domain controller by using Kerberos. A logon type of 3 translates to
Network. Therefore, according to this information, I suspect that the
client is failing to authenticate to the domain controller because there is
a time difference (greater than 5 minutes) between the two computers. Thus,
the Kerberos authentication fails as it is unable to pass the time
verification.

So, please log into Windows XP client and double check to make sure that
the time, data, and year are the same to that on SBS 2003 domain
controller. Please notice that they may be in different time zone.
Otherwise, you can configure time service on the XP Professional to
synchronize time from the server. By default, the DC is the time server and
it has this service enabled. Refer to the following article.

314054 How to Configure an Authoritative Time Server in Windows XP
http://support.microsoft.com/?id=314054

In addition, I also suggest you to check if the Time service on SBS 2k3
server is disable. If it is disabled, please also refer to the following
information:

1. Go to the SBS 2003 server, check the time zone setting. Make sure the
time zone setting is correct.

2. Open ''Services'' console in ''Administrative Tools''. In the services
console, double-click ''Windows Time''. If the startup type is
''Disabled'', please change it to ''Automatic'' and then click ''Start''
button to start this service.

3. Start-->Run-->Type ''regedit'' (without the quotation marks) and press
Enter. In the Registry Editor, navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

In the right panel, double-click ''Type''. If the value data is ''NoSync'',
change it to ''Nt5DS''. Go to services console, restart the Windows Time
service.

4. After doing the above steps, reboot the client workstations [10.0.0.70]
and then try to logon the domain. If the problem still occurs, please open
a command prompt on the workstation, type ''w32tm /monitor
/computers:localhost'' (without the quotation marks) and press Enter.
What''s the output?

If you have any questions or concerns related to this issue, please let me
know.

I appreciate your time and look forward to hearing from you.


Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Mike Stem" <PSCCmdt@xxxxxxxx>
| Subject: Security Log: Event ID 537 issue
| Date: Mon, 9 May 2005 08:14:57 -0400
| | Newsgroups: microsoft.public.windows.server.sbs
| | I support a SBS2003 Standard network at my wife's office and it has
been
| operational since Thanksgiving 2004. With the support of this group I
have
| managed to learn quite a bit about SBS and we are excited about the
product.
| All was well until the last couple of days, when the morning status
report
| started speaking of numerous Security Violations. I went into the office
| and prowled through the Event Logs, here is a summary of the error which
is
| repeated over and over the past few days:
|
| Source: Security
| Category: Logon/Logoff
| Type: Failure Aud
| Event ID: 537
| Reason: An error occurred during logon
| Logon Type: 3
| Logon Process: Kerberos
| Status Code: 0x000006D
|
| Background: When I checked the IP Address listed in the Event Properties
it
| comes back to a Tablet PC that was just fired up last Thursday after not
| being used for five months. These Tablets connect wirelessly and were
| successful members of the Domain for months. Now that a software issue
has
| been addressed the doctors wish to bring them back online. I fired them
up
| and let them run for a couple of days, actually to test their updating
with
| Trend Micro CSM which is another issue I am working on! Ever since they
(2
| of them) were turned on these errors starting appearing in the Event Logs
| under the Security section. Just over the weekend this error appeared
more
| than fifty (50) times for these 2 Tablets.
|
| Can anybody point me in the right direction? Many thanks for this and
all
| of the help offered by this wonderful group of folks. :>)
|
| Mike Stem
| Cinti, OH
| SBS2003 Newbie
|
|
|
|

.