RE: Error 537 and 529 on SBS 2003 SP1

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi,

Thanks for posting here.

Since the SBS 2003 server enabled security audit in the security policy by
default, we can see many security events in the event log (In Windows 2000,
the audit policy are not defined by default). Sometimes, we can ignore some
security events because they will not impact the server box besides the
logs.

Regarding Security event 537

Kerberos and "An error occurred during logon" event id 537

Therefore, it appears that something on the workstation is failing to
authenticate to the SBS server because there is a time difference (greater
than 5 minutes) between the two computers. Please go to the workstation to
see if there time setting is correct. Sometimes, although you cannot see
any time difference between the Server and the workstation, the error
messages could still be generated. This is because after the first failure,
the workstation will automatically synchronize the time with the SBS
server.

Regarding Security event 529

This could be a normal behavior in SBS 2003 server. This error messages
always occurs when some service (log on as local system account) are
started. In SBS 2003 server, it is most likely that the ''Microsoft
Exchange Routing Engine'' service cause this security event. You may open
''Services'' console in ''Administrative Tools'', double-click ''Microsoft
Exchange Routing Engine'' service and click ''Stop'' button. The 529 events
should be stopped. Please note that the Exchange routing engine service is
a core service for Microsoft Exchange. If this service stops, the mail
delivery could be impacted. Stop this service only for test.

If the SBS 2003 server is running well and there is no logon issue in this
environment, you can safely ignore these security error messages.


You can change the specific setting in registry to downgrade the
authentication level.

Please open regedt32 on SBS 2003 and go to
HKLM\System\CurrentControlSet\Control\LSA\nolmhash=1

Setting nolmhash to 0 and reboot the Server

Based on my research, this is also could be an automated dictionary attack
on weak passwords. The hacker is trying variable username/password
combinations to access the network. The attack can be initiated from
internal network or external network. Technically speaking, this is a
normal behavior as you cannot prevent a hacker or spyware from attacking
your server. The attack can be from outsiders or from LAN workstation which
are infected by viruses or spyware. You can ignore the events as the attack
was unsuccessful. However, since it indicated an attacking, I would like to
give the following action plan to improve the network security:

1. Scan virus on both the server and workstations (especially the
workstation the IP address refers to). Please use the anti-virus software
to perform full scan on all your computers especially the computer event
537 indicates. There is an online virus scan link below if you do not have
an anti-virus software:

http://housecall.trendmicro.com

2. Scan and remove all spyware and adware on the server and workstations.
For more information and removal tools, see:

http://www.microsoft.com/athome/security/spyware/default.mspx

3. Implement Strong password policies. Open ''''Server Management
console'''', navigate to Users snap-in. In the right panel, click
''''Configure Password Policies''''. Enable the password policies. You'd
better also ask your users to change their passwords to avoid successfully
attack against weak password.

For more information:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx

4. Monitor the internal users to see if anyone is testing the administartor
account.

NOTE: This response contains a reference to a Third party World Wide Web
site. You should know that Third party sites are not under the control of
Microsoft. Accordingly, Microsoft can make no representation concerning
the content of these sites. Microsoft is providing this information only
as a convenience to you. This is to inform you that Microsoft has not
tested any software or information found on these sites and therefore
cannot make any representations regarding the quality, safety, or
suitability of any software or information found there. There are inherent
dangers in the use of any software found on the Internet, and Microsoft
cautions you to make sure that you completely understand the risk before
retrieving any software on the Internet.

Please do not hesitate to let me know if you have any further concerns.


I hope the above information helps.

Best Regards,

Chace Zhang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: Error 537 and 529 on SBS 2003 SP1
| thread-index: AcbMSdwKJMeiPzGyQmK3KjSDbDS9Ig==
| X-WBNR-Posting-Host: 69.70.47.218
| From: =?Utf-8?B?TW9udHJlYWwgTUNU?= <MontrealMCT@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <uYyO1EEzGHA.4232@xxxxxxxxxxxxxxxxxxxx>
| Subject: RE: Error 537 and 529 on SBS 2003 SP1
| Date: Wed, 30 Aug 2006 08:35:02 -0700
| Lines: 47
| Message-ID: <DC01F9FF-B8F8-45B2-8BCC-B7213DF5AE5E@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:294155
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi Julien,
|
| I had that problem on a client's system for nearly a year and for love or
| money I could not resolve it. I got a lot of advice that there were
problems
| with an installed application on his workstation, but I could not find
| anything untoward.
|
| For reasons I will not go into one day I had to export the Active
Directory
| users to a CSV file, and while I was looking through the records in Excel
I
| noticed that some of the records - the ones that had been causing the
errors
| - had some fields that were for the most part unused, but they were
filled
| with garbled junk. These were not fields that you would have seen in the
| ADUC Properties, but they were corrupted. I fixed it, re-imported them,
and
| the errors disappeared.
|
| To export the database go to a command prompt on the server and use the
| CSVDE tool.
|
| Good luck and let us know how it goes!
|
| M
|
| --
| MDG, MCT
| MCSA (2003), MCSA (2000), MCDST.
| Certified Small Business Specialist
| Visit my blog at www.mitpro.ca/Blogs/tabid/59/BlogID/2/Default.aspx
|
|
| "Julien Gras" wrote:
|
| > Hi,
| >
| > I try to understand why my SBS 2003 Server have these critical errors
(near
| > 8000/days).
| > The user name in the 537 error is not always the same.
| > Only Exchange 2003 and shared folders are used by the users.
| >
| > Any idea?
| >
| > Thanks
| >
| > Julien GRAS
| > Proxitec
| >
| >
| >
|

.

Relevant Pages

  • Re: RWW Timing
    ... If you have installed ISA, ... Expand the server node and highlight ''Monitoring''. ... In the following website you can find many useful resources related to SBS ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: R2 w/ISA User type account cannot use my companys internal website
    ... Alerts\Core Server Alerts ... Microsoft CSS Online Newsgroup Support ... And our product group is still reviewing the impact of the upgrade SBS ...
    (microsoft.public.windows.server.sbs)
  • RE: Fax monitor incoming + outgoing calls?
    ... Perform clean boot on the SBS server. ... Uninstall and reinstall the windows fax service from Add/Remove ... Uninstall and reinstall the SBS fax services from Add/Remove ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Active X issue
    ... the client workstations and SBS server will not sync successfully. ... we must first make sure that the Time service on the SBS ... so that the client workstation could synchronize ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Some Questions
    ... remote pop3 which is hosted by Burst Data in Philadelphia. ... server from an outside connection. ... Logon to one of the client workstations in the SBS network. ... = e = Restart the Microsoft Connector for POP3 Mailboxes. ...
    (microsoft.public.windows.server.sbs)