Re: Critical Errors in Security Log
- From: "Barry McConomy" <smile@xxxxxxxxxx>
- Date: Tue, 14 Feb 2006 08:16:26 -0500
Hi Brandy
I have recently started to get a lot of "Critical Errors in Security Log"
(5,448), see below
Have you any advice regarding event ID 537?
Regards
Barry
My error message:-
Source: Security
Event ID: 537
Logon Failure:
Reason: An error occurred during logon
User Name: Roly
Domain: JFP
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC00002EE
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port:
""Brandy Nee [MSFT]"" <v-branee@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:ftH0%23ygLGHA.768@xxxxxxxxxxxxxxxxxxxxxxxx
Hello James,
Thank you for posting to the SBS Newsgroup.
I understand that you find Event ID 673 and 560 on your computer. If I
have
misunderstood your concern, please let me know.
James, it is very important for us to know what exact computer you found
these events, SBS Server or client workstation. I assume they are from the
SBS Server. Am I right?
Please take your time to read through my reply:
1> Event ID 673:
You may be seeing these logs about every 15 minutes on a Windows server
2003. Based my research, it appears that these events are related to
either the Kerberos ticket about to expire or the domain members not being
able to utilize constrained delegation and can be safely ignored.
If you have not got SBS 2K3 SP1 applied on your Server, then please apply
following hotfix and these are benign and are no longer logged with the
installation:
824905 Event ID 677 and event ID 673 audit failure messages are repeatedly
http://support.microsoft.com/?id=824905
More info on Event 673:
Kerberos Authentication Events Explained
http://www.windowsecurity.com/articles/Kerberos-Authentication-Events.html
Windows Security Log Events by ID
http://www.ultimatewindowssecurity.com/events/com295.html
More info on Event 673 on Windows XP clients:
274176 Security Event for Associating Service Account Logon Events
http://support.microsoft.com/?id=274176
2> Event ID 560:
I am sorry but I am not sure what exact Event Type of this event ID is,
Failure Audit or Success Audit. Please see following web page:
http://www.eventid.net/display.asp?eventid=560
This response contains a reference to a third party World Wide Web site.
Microsoft can make no representation concerning the content of these
sites.
Microsoft is providing this information only as a convenience to you:
this is to inform you that Microsoft has not tested any software or
information found on these sites and therefore cannot make any
representations regarding the quality, safety, or suitability of any
software or information found there. There are inherent dangers in the
use
of any software found on the Internet, and Microsoft cautions you to make
sure that you completely understand the risk before retrieving any
software
on the Internet.
3> In order to further analysis these issue, please help me to gather
following information:
a. I assume that Event ID 673 and 560 are from the same computer, am I
right? If yes, are they from client workstation or SBS Server?
b. On the computer which gives out the event IDs, run "eventvwr" (without
quotation marks), right click Security, select Save Log File As, please
save this log as .evt file and send it to me.
Please take your time to read through my information. If you have any
updates, please feel free to let me know. I am looking forward to hearing
from you!
Best regards,
Brandy Nee
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
User-Agent: Microsoft-Entourage/11.2.1.051004to
Date: Thu, 09 Feb 2006 16:30:55 -0500
Subject: Critical Errors in Security Log
From: "James Shirey Jr." <inknpaper@xxxxxxxxxxx>
Message-ID: <C0111EBF.570%inknpaper@xxxxxxxxxxx>
Thread-Topic: Critical Errors in Security Log
Thread-Index: AcYtwBvMWkISFpmzEdq3KwADk5r9cA==
Mime-version: 1.0
Content-type: text/plain;
charset="ISO-8859-1"
Content-transfer-encoding: 8bit
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: 69.215.164.193
Lines: 1
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:243422
X-Tomcat-NG: microsoft.public.windows.server.sbs
Hello,
I have been getting Critical Errors in the security Log that I can't seem
get figured out. I have searched several sites that explain basic causesbut
no fix. The first error is an Event ID: 673 and Source being Security._
The error reads:
___________________________________________________________________________
Service Ticket Request:
User Name:
Mark@xxxxxxxx
User Domain:
XX.LOCAL
Service Name:
krbtgt/XX.LOCAL
Service ID:
-
Ticket Options:
0x2
Ticket Encryption Type:
-
Client Address:
192.168.xx.xx
Failure Code:
0x20
Logon GUID:
-
Transited Services:
-
_________________________________________________________________________
The second error is an Event ID:560 with the Source being Security
The error reads:
_________________________________________________________________________
Object Open:
Object Server:
Security
Object Type:
File
Object Name:
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\CONFIG\security.config.cch.new
Handle ID:
-
Operation ID:
{0,1253008035}
Process ID:
9320
Image File Name:
C:\WINNT\system32\inetsrv\w3wp.exe
Primary User Name:
NETWORK SERVICE
Primary Domain:
NT AUTHORITY
Primary Logon ID:
(0x0,0x3E4)
Client User Name:
-
Client Domain:
-
Client Logon ID:
-
Accesses:
READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges:
-
Restricted Sid Count:
0
Access Mask:
0x12019F
________________________________________________________
If anyone has any suggestions I would be very grateful,
Confused in SBS land,
James Shirey
.
- Follow-Ups:
- Re: Critical Errors in Security Log
- From: "Brandy Nee [MSFT]"
- Re: Critical Errors in Security Log
- References:
- Critical Errors in Security Log
- From: James Shirey Jr.
- RE: Critical Errors in Security Log
- From: "Brandy Nee [MSFT]"
- Critical Errors in Security Log
- Prev by Date: Re: DHCP through ISA VPN
- Next by Date: RE: Strage behavior when attempting to join
- Previous by thread: RE: Critical Errors in Security Log
- Next by thread: Re: Critical Errors in Security Log
- Index(es):
Relevant Pages
|
