Frequent Event 529 Second Post

From: "Terry M" <terrym@xxxxxxxxxxxxxxxxxx>
Date: Mon, 1 May 2006 16:38:42 -0600

Hello

We have a fully patched SBS Prem box SP1 without ISA. I use Trend CSM, and
we using a Symantec Corporate Firewall.

I am getting hundreds of 529's every day from essentially every workstation.
I noticed this the week after a restore from tape and upgrade to SP1.

In my first post (Another Event 529) it was suggested that it might be a
Time Service issue but I don't think so now. I googled everything I could
think of and have seen a few similar reports but no resolution.

I have run AV and spywear scans on everything and did not turn up anything.

Any advise would be appreciated

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/1/2006
Time: 4:12:36 PM
User: NT AUTHORITY\SYSTEM
Computer: SBServer
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain: {Workstation Name}
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: {Workstation Name}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: {Workstation IP}
Source Port: {Various}

.

Follow-Ups:
- RE: Frequent Event 529 Second Post
  - From: Ed Walters [MSFT]

Prev by Date: Certificate Request Problem
Next by Date: Re: Please Help No good backup & Companyweb Down.........
Previous by thread: Certificate Request Problem
Next by thread: RE: Frequent Event 529 Second Post
Index(es):
- Date
- Thread

Relevant Pages

Re: Event ID 539 & 529 in large numbers - from what?
... When I get an account locking out without obvious cause, I just go in and delete all the saved passwords. ... Both the username and the workstation name are legitimate user/workstation on the network. ... Logon Failure: ... Caller User Name: - ...
(microsoft.public.windows.server.sbs)
Re: Event ID 539 & 529 in large numbers - from what?
... Part of what I meant though, is that <username> could be the name of a user or the name of a machine, when a machine is connecting to the server to get group policies, for example. ... Both the username and the workstation name are legitimate user/workstation on the network. ... Logon Failure: ... Caller User Name: - ...
(microsoft.public.windows.server.sbs)
Event ID 539 & 529 in large numbers - from what?
... The only thing unique about this particular workstation ... Logon Failure: ... Logon Process: NtLmSsp ... Caller User Name: - ...
(microsoft.public.windows.server.sbs)
Re: Wrong domain in event log?
... The failed login was from the workstation called BCCIJHINSLEY at IP address ... Les Connor [SBS Community Member - SBS MVP] ... Logon Failure: ... Caller User Name: - ...
(microsoft.public.windows.server.sbs)
Re: Another Event 529
... I am loging hundreds of NT AUTHORITY\SYSTEM Logon failures from my ... All workstation seem to be getting triggering ... same event with different Source Port #'s. ... Caller User Name: - ...
(microsoft.public.windows.server.sbs)