Re: Login Failures

Hi Brandon,

Thanks for your information. I am jenny and I am backup of Steve for he is
now taking leave. I will continue work with you till Steve back. I am sorry
for inconvenience for that.

In the EVENT log, "Logon Type: 3" means that it is a network logon.
"Status code: 0xC00002EE" indicsates a STATUS_UNFINISHED_CONTEXT_DELETED.
It means that a security context was deleted before the context was
completed. This is considered a logon failure.

Based on my experience, there are problems that will generate this error

1. If there is firewall application installed
2. Windows Time is not synchronized.
3. There are applications from client computers trying to logon by
incorrect accounts and password.

What is the user account "msmith"? The audit always failed to audit the
user account.

I. For Firewall, please check the SBS Server and the client computer from
which the affected user logs on to make sure that there is no firewall
application installed. Please temporarily disable all filewalls on the SBS
server box and the client computer, then please test the issue and let me
know the result.

II. For logon by incorrect accounts and password, please open Active
Directory users and Computers or open the Server Management, please let me
know if the affected user account is disabled.

III. For Windows Time issue, I suggest that you do the following:

1. Please go to the workstation which the 537 events complain and run the
following command:

net time

2. Check if the workstation is syncing time with the SBS 2003 server and if
not, run the following command:

net time /setsntp:<SBS_Server_Name>

NOTE: Replace <SBS_Server_Name> with the real server name of the SBS 2003

3. Run the following command and check if the event does not occur
complaining this workstation:

w32tm /resync

4. After doing the above steps, reboot the client workstations and then try
to logon the domain. If the problem still occurs, please open a command
prompt on the workstation the event 537 complains, type 'w32tm /monitor
/computers:localhost' (without the quotation marks) and press Enter. What's
the output?

If the issue persists, please try the following suggestions to
troubleshooting the issue:

Suggestion One:

1. Go to the problematic computer, click Start -> Run, type MSCONFIG and
click OK.
2. Go to Services tab, click to Hide All Microsoft Services, click the
Disable All button.
3. Go to Startup tab, click the Disable All button.
4. Restart the client computer, check again to see if there are new failure
audit 537 events registered for the user account.

If the issue still exists, please go to Suggestion two.

Suggestion Two:

1. Start -> Administrative Tools -> Group Policy Management
2. Expand Domains -> Your Domain
3. Right click the Small Business Server Windows Firewall and click Edit
4. Computer configuration>Administrative templates>Network>Network
connections> Windows Firewall> Domain Profile;
5. In "Windows Firewall: Protect all network connections" should be set to
6. Run Gpupdate /force on your XP client
7. Logon and logoff your client and test your issue again.

NOTE: If the Windows XP computer has not SP2 applied, you need to check the
"small business server Internet connection firewall" policy.

If the issue still exists, please go to Suggestion three.

Suggestion Three:

Install the following update on the SBS Server:
898060 Installing security update MS05-019 or Windows Server 2003 Service

If the issue still exists after you applied the update Q898060, please go
to Suggestion four.

Suggestion Four:

1. Please logon a Lan computer with the user account (msmith), can still
the failure audit logged in Event Viewer?

2. If the issue persists, please try to remove the user account first and
then create a new user account with the same name and then test the issue
again, what is the result?

Hope it helps. I am glad to help.

Have a nice day!


Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! -
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
This posting is provided "AS IS" with no warranties, and confers no rights.

X-Tomcat-ID: 200972112
References: <O8l41pTaGHA.440@xxxxxxxxxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
From: v-bpeng@xxxxxxxxxxxxxxxxxxxx ("Bill Peng [MSFT]")
Organization: Microsoft
Date: Fri, 05 May 2006 12:45:51 GMT
Subject: Re: Login Failures
Message-ID: <a5komHEcGHA.2240@xxxxxxxxxxxxxxxxxxxxx>
Lines: 108
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl

Hi Brandon,

Thank you for your update.

Steven is OOF now and I'm backing up this post. At the current stage, will
you please collect the following info:

Info 1. Security Log:

1. Open eventvwr.
2. Right click Security node and click Save Log File As.
3. Give it a name and save the log.

Info 2. GPResult.

1. Open CMD prompt and run the following command:
gpresult /v>C:\gpresult.txt
2. C:\gpresult.txt will be created.

Then, please e-mail the logs to pngfd@xxxxxxxxxxxxx with the following

Post ID: 33651409
Post Subject: Login Failures
Engineer: Steven Zhu

Thanks a lot for your time and we look forward to your update.


Bill Peng
Microsoft Online Partner Support

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.

This and other support options are available here:

If you are outside the United States, please visit our International
Support page:
This posting is provided "AS IS" with no warranties, and confers no rights.
| From: "Brandon" <bsmith@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <O8l41pTaGHA.440@xxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Login Failures
| Date: Thu, 4 May 2006 09:32:43 -0500
| Lines: 46
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
| X-RFC2646: Format=Flowed; Original
| Message-ID: <OXjwSe4bGHA.2188@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups:
| NNTP-Posting-Host:
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
| X-Tomcat-NG:
| Still having the same error even after changing that registry key.
| --
| Brandon
| Presentations Direct - "Document Finishing Solutions"
| "Steven Zhu [MSFT]" <v-stezhu@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:0OiTyLobGHA.4776@xxxxxxxxxxxxxxxxxxxxxxxx
| > Hi Brandon,
| >
| > Thank you for keeping in touch. I will waiting for your information and
| > provide further help on this problem. It's always our pleasure to be of
| > assistance.
| >
| > Have a great day.
| >
| > Best Regards,
| >
| > Steven Zhu
| > MCSE
| > Microsoft Online Partner Support
| > Get Secure! -
| > ======================================================
| > PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
| > updated on February 14, 2006.? Please complete a re-registration
| > by entering the secure code mmpng06 when prompted. Once you have
| > entered the secure code mmpng06, you will be able to update your
| > and access the partner newsgroups.
| > ======================================================
| > When responding to posts, please "Reply to Group" via your newsreader
| > that others may learn and benefit from this issue.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > ======================================================
| >
| >
| >
| >
| >
| >
| >