RE: Login Failures
- From: v-stezhu@xxxxxxxxxxxxxxxxxxxx (Steven Zhu [MSFT])
- Date: Thu, 27 Apr 2006 05:40:51 GMT
Hi Brandon,
Thanks for posting here.
From your post, my understanding on this issue is: you get many success andfailure audit log in security event log. The failure logs are all Kerberos
537 errors. The success logs contain assigning special privileges (576) and
authentication package (680). If I am off base, please feel free to let me
know.
Actually, by default, you can find the following audit settings in Windows
SBS 2003:
- Audit account logon events (Success)
- Audit account management (Success)
- Audit logon events (Success/Failure)
- Audit policy change (Success)
- Audit system events (Success)
For more information, please refer to the following technology web link:
Auditing Security Events Concepts
http://technet2.microsoft.com/WindowsServer/f/?en/Library/4de972ea-50f9-492a
-aacf-c0b7d0b8e0961033.mspx
Therefore, the system will audit the above event in security event log.
For the Kerberos 537 errors, based on my research, since the Windows
XP/2000 computer tries to use Kerberos authentication before using NTLM
authentication, the computer tries to contact the SBS 2003 domain
controller by using Kerberos. Checking the event, a logon type of 3
translates to Network. The status code 0xC000006D translates to
STATUS_LOGON_FAILURE. The substatus code 0xc0000133 translates to
STATUS_TIME_DIFFERENCE_AT_DC. Therefore, according to this information, I
suspect that the client is failing to authenticate to the domain controller
because there is a time difference between the workstation and the server.
Thus, the Kerberos authentication fails as it is unable to pass the time
verification.
So, please perform the following steps on your SBS 2003 server to solve
this issue:
1. Check the time zone setting. Make sure the time zone setting is correct.
2. Make sure the Windows Time Service's startup is set as 'Automatic'.
3. Start-->Run-->Type 'regedit' (without the quotation marks) and press
Enter. In the Registry Editor, navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
In the right panel, double-click 'Type'. If the value data is 'NoSync',
change it to 'Nt5DS'. Go to services console and restart the Windows Time
service.
I hope the above information helps.
Have a nice day.
Best Regards,
Steven Zhu
MCSE
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006.? Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================
.
- Follow-Ups:
- Re: Login Failures
- From: Brandon
- Re: Login Failures
- References:
- Login Failures
- From: Brandon
- Login Failures
- Prev by Date: Re: Exchange mail delivery
- Next by Date: RE: SBS 2003 Shared Fax major problem
- Previous by thread: Login Failures
- Next by thread: Re: Login Failures
- Index(es):
Relevant Pages
|
