Re: Daily Server Report (Critical Errors, Event ID: 537)


I) It happens on a Workstation
II) A specific computer.
III) Yes, all working well to the best of my knowledge.

I will carry our items 1 to 3 next Monday (February 27th) and report back.


""Brandy Nee [MSFT]"" <v-branee@xxxxxxxxxxxxxxxxxxxx> wrote in message
Hello Barry,

Thank you for posting to the SBS Newsgroup.

I understand that you find there are plenty of Event IDs 537 with a
substatus code of 0xC00002EE on your machine. If I have misunderstood your
concern, please let me know.

The status code 0xC00002EE translates to STATUS_FINISHED_CONTEST_DELETED.
It means that a security context was deleted before the context was
completed. Also, Logon type of 3 is a network logon, this is considered a
logon failure. I need to gather some detailed information, please see:

I) Does this issue happen on client workstation or server?
II) Does this issue happen on some specific computers or all of them?
III) Does your server and all clients' workstation work well now? Can you
access the Internet, receive/send emails, etc? Is there any performance
issue in your Network?

Based on my experience, there are various factors can cause this issue,
please see:

1. I suggest you that perform a scanning for virus and spyware/adware on
your computers. You can download spybot to scan for spyware/adware:

2. There are maybe some hackers from the internet trying to guess your
users' passwords. So I suggest you that configure your network more
securely. You can refer to the following document to secure your Network:

This document helps you to more securely configure your Microsoft Windows
Small Business Server 2003 network. Completing the tasks in this document
helps you protect the availability, integrity, and confidentiality of your

Securing Your Windows Small Business Server 2003 Network

3. Third party software. Some third party software installed on the client
workstations may try to log on or log off server by using incorrect
because it does not support the Kerberos authentication. I suggest that
perform a clean boot on the machine which gives our Event ID 537 to see
whether the issue occur:

a. Click Start->Run, type "MSCONFIG" (without the quotation marks) and
click OK.

b. In the System Configuration Utility (MSConfig) window, click the
"Startup" tab.

c. Click to clear all the check marks from the list box under "Startup".

d. Click the Services tab, check the "Hide all Microsoft Services" box and
then click the "Disable All" button to disable the non-Microsoft services.

e. Click OK to close the MSConfig window. Click Yes when you are asked to
restart your computer in order to enable the changes.

f. After restarting, please check whether this issue still exists.

For your reference:

817310 Cannot Log On to a Heavily Loaded Exchange Server 2003 Computer by
Using Outlook Mobile Access

Audit logon events

Auditing User Authentication

Account Passwords and Policies

Please take your time to read through my suggestions. If you have any
updates, please feel free to let me know. I am looking forward to hearing
from you!

Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! -
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:

When opening a new thread via the web interface, we recommend you check
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
This posting is provided "AS IS" with no warranties, and confers no

From: "Barry McConomy" <smile@xxxxxxxxxx>
Subject: Daily Server Report (Critical Errors, Event ID: 537)
Date: Wed, 15 Feb 2006 08:16:07 -0500
Organization: Posted via Supernews,
Message-ID: <11v6a9im8vf3l76@xxxxxxxxxxxxxxxxxx>
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Complaints-To: abuse@xxxxxxxxxxxxx
Lines: 34
Xref: TK2MSFTNGXA01.phx.gbl


Daily Server Report

I have recently started to get a lot of "Critical Errors in Security Log"
(5,448), see below.

Can anybody advise/help?


Source: Security
Event ID: 537
Logon Failure:
Reason: An error occurred during logon
User Name: ***
Domain: ***
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC00002EE
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: