RE: Event ID 529 on cleint workstation

Hi Farhan,

Thanks for posting here.

From your description, I understand the issue is that the security event
529 is logged in the Security log several times one day indicating the
error reason "unknown username or bad password". If I am off base, please
don't hesitate to let me know.

As we know, Security Event ID 529 is a failure audit for logon/logoff. The
security events are controlled by the audit policies. The policies of
"logon events" generate the events on domain controllers for domain account
activity. Generally this kind of event error may be caused by Application
logon such as while Outlook is connecting to Exchange Server, or internet
users or computers failed to access your network. The type attack can be
initiated from internal network or external network. Technically speaking,
this is a normal behavior as you cannot prevent a hacker from attacking
your server. You can ignore the events as the access/attack was
unsuccessful.

Let us perform the following tests to trouble shoot the issue in your side:

I. The Event 529 was caused by the machine account password not being
properly in sync. Only attempts to login using that account and NTLM would
fail. Anything other than that would work fine, including accessing the
IPC$ share. I suggest that we reset the machine password by using "NETDOM
RESETPWD" with the required parameters.

Please refer to the following article to reset the machine password.

325850 How to use Netdom.exe to reset machine account passwords of a
Windows Server 2003 domain controller
http://support.microsoft.com/default.aspx?scid=kb;EN-US;325850

II. If the issue persists, the issue may occur due to the connection
problem between the problematic client and the server since the issue only
happens on the specific computer. I suggest that you re-join the client to
domain to make every thing well. The steps as follows:

1. Quit the client from the domain. To do so, see:

Locate in Client Computers in Server Management console and choose the
computer in right panel. Click Remove from network link to delete the
computer from domain.

2. Logon the client with Administrator permissions and join it to
"Workgroup", and reboot the computer.

Right click My Computer to open its properties page, click Computer Name
tab, click Change button to re-join the computer to Workgroup.

3. Manually reset the TCP/IP stack by NetShell utility. The detail steps
are outlined in the following KB article:

299357 How to Reset Internet Protocol (TCP/IP) in Windows XP
http://support.microsoft.com/?id=299357

4. Setup the client by running Setup Client Computer wizard to setup
computer account and assign related user account to the computer.

6. Logon the computer with Administrator permissions and join it to domain
by running http://servername/connectcomputer. And assign appropriate user
accounts to the computer.

Note: Please ensure you have added the SBS Site (http://FQDN/*) in trusted
site in IE of the computer.

Then please monitor the server for some time to see if the issue happens
again.

III. If the 529 event still persists, please collect the following
information for further analyze the issue:

1. Please run command "msinfo32" (no quotation marks) on the SBS server box
and the XP workstation to launch System Information console. And click File
and then Save. Save the system information to a .nfo file to send to me. My
working mailbox: v-yanniw@xxxxxxxxxxxxx

2. Please open the Event Viewer and save the whole Security, system and
Application log as .evt format, and send to my working mailbox:
v-yanniw@xxxxxxxxxxxxx

3. Please enable the detailed netlogon log and then send the log to me. It
will contain how this logon occurs. To enable and gather the log, please
try:

On the domain controller, type "Nltest /dbflag:2080FFFF" (without the
quotation marks) at a command prompt to enable Netlogon logging. Restart
the netlogon service. The logfile is created at
%Systemroot%\Debug\Netlogon.log. (Note: the Nltest utility can be installed
from Support/Tools folder on Windows 2003 CD. Make sure that there is at
least 40MB free space on the hard disk.)

Please compress all files and mail me at: v-yanniw@xxxxxxxxxxxxx

I appreciate your time! I am happy to be assistance of you and look forward
to your reply!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "FS" <fselod@xxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.sbs
Subject: Event ID 529 on cleint workstation
Date: 10 Aug 2006 10:01:40 -0700
Organization: http://groups.google.com
Lines: 45
Message-ID: <1155229300.122537.59750@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
NNTP-Posting-Host: 66.46.231.99
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Trace: posting.google.com 1155229305 24559 127.0.0.1 (10 Aug 2006
17:01:45 GMT)
X-Complaints-To: groups-abuse@xxxxxxxxxx
NNTP-Posting-Date: Thu, 10 Aug 2006 17:01:45 +0000 (UTC)
User-Agent: G2/0.2
X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6,gzip(gfe),gzip(gfe)
Complaints-To: groups-abuse@xxxxxxxxxx
Injection-Info: i3g2000cwc.googlegroups.com; posting-host=66.46.231.99;
posting-account=pksCSw0AAAA-77pULBqdJfgS2Hjxoisr
Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!newsfeed00
..sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!border1.nntp.dca.
giganews.com!nntp.giganews.com!postnews.google.com!i3g2000cwc.googlegroups.c
om!not-for-mail
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:288686
X-Tomcat-NG: microsoft.public.windows.server.sbs

Hi,

I've been recieving this odd event ID for a while now. I've never
payed much attention to it until recently and need help with a
solution.

Logon Failure:
Reason: Unknown user name or bad password
User Name: abc103
Domain: FRONT-DESK
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: FRONT-DESK
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.20
Source Port: 0

I've had as much as 43 occurences logged in one day and its a bit
wiered.

According to the KB articles i've read from Microsoft and GoogleGroups.
this event is logged during the log-off procedure when the client
machine tries to authenticate the user with the domain controller that
it is connected to, this error occurs because the user (which is a
local user and not listed on the DC) is not found.

-The Client computer is a Windows XP SP 2 Machine, up to date with
patches.

Microsoft has a hotfix which it says is also available within SP 2,
the hotfix i cannot install because it states the machine already
contains it (since its SP2).

Any one have any ideas on how i should proceed in solving this?


Best Regards and much thanks,

Farhan S.



.