Exchange, Event 537, and Access Denied, Oh my


I've actually got a problem of my own (unfortunately) and it has me
absolutely stymied.

Hoping some shared brainpower here will shed some light.

In the event logs I'm getting the ever-helpful 537 event id
-----------------------------------------------
logon failure:
reason: an error occurred during logon
user name: myadmin
domain: mydomain
logon type: 3
logon process: ðùæ
authentication package: ntlm
workstation name: servername
status code: 0xc000006d
substatus code: 0x0
caller user name: -
caller domain: -
caller logon id: -
caller process id: -
transited services: -
source network address: 192.168.1.200 (this is the internal server ip
address)
source port: 2436
------------------------------------------------

note that the \"logon process\" is showing a garbled, corrupted name.
in general it looks like that each time in the error log but with some
slight variations.

with that as the only information i had to go on i began attempting to
track down what process was actually trying to authenticate. i
eventualy captured the process id, which turned out to be information
store (store.exe).

so then tried to see *when* it's being created. there are other times
when it's appearing but i have been able to reproduce it manually by
attempting to sync a pda cellphone via activesync. note that syncing
fails (which is what started me investigating this server in the first
place). the authentication between the pda and iis occurs fine,
\"syncing folders\" message appears, and then iis/exchange drop the
connection. at the time that the connection is being dropped i get the
same error as above (albeit this time with my test account as the user
instead of the server machinename).

---------------------------------------------------
logon failure:
reason: an error occurred during logon
user name: msradmin
domain: mydomain
logon type: 3
logon process: ðùýx:
authentication package: ntlm
workstation name: servername
status code: 0xc000006d
substatus code: 0x0
caller user name: -
caller domain: -
caller logon id: -
caller process id: -
transited services: -
source network address: 192.168.1.200
source port: 2435
-------------------------------------------------------

this occurs at least 3 times, and cycles through a sequential port each
time (2435, 2436, 2437). i don't think that's important but giving you
what i've got.

so that's where we are so far. then i go into the esm and everything
looks fine, until i glance at the \\"log file directory\\" window under
the general tab which should be showing me the file path to the log
files but instead says \\"access denied.
facility: win32
id no: 80070005
exchange system manager\\" in it.

note that email works fine to the extent it gets used, but is only in
use periodically in a direct mapi setting as it's one of our test bed
images. it's sbs 2003 standard with all service packs and updates.

from where i sit it seems to be that exchange is issuing explicit
credentials for various task permissions. and wherever it has stored
those credentials has become corrupt so it is spitting out garbage (and
thus failing to authenticate for those few tasks, or perhaps succeeding
in a failover to kerberos but not under ntlm, who knows). the question
is *where* would that information be stored and the best way to recover
it. hopefully the event log error and the 'access denied' on the log
path will combine to trigger a thought in someones head.

i'd hate to lose this disk image as it's been so nicely configured, but
can't use it now with this error that we inadvertently allowed to seep
into the image when we last revised it...and a full reinstall means a
full reconfiguration/rebuild of the whole image. at least a weeks
work, bleah.

if you've got any ideas i'm all ears, and if you've got a solution to
resolve it that doesn't make me lose the image, well, the things i'd be
willing to do can't be stated in a public place :)

matt ridings - msr consulting


--
admin
------------------------------------------------------------------------
admin's Profile: http://forums.msrportal.com/member.php?userid=1
View this thread: http://forums.msrportal.com/showthread.php?t=14163

MSR Consulting SBS Support - support (at) msrportal.com

.

Relevant Pages

  • Re: Kerberos machine authentication - apparent authentication fail
    ... > until logon), the wireless connection can kick off when it is ready. ... > was confirmed in the server event logs with IAS (i set that up as the radius ... > as an ordinary user kicks in and takes over from the machine authentication. ... > while the network sorts itself out and a double click on a network link of ...
    (microsoft.public.windows.server.security)
  • Re: ISA SERVER NOT STARTING
    ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Re: Event ID 529
    ... First is a hardware firewall that sits on the perimeter of your network and requires that your users give user names and passwords, different from those for the network. ... Sometimes the Logon Type is different, also the User Name can be ... Computer: <SERVER NAME> ... Caller User Name: $ ...
    (microsoft.public.windows.server.sbs)
  • Re: Logon 529 Errors
    ... Authentication in SMTP virtual server. ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ...
    (microsoft.public.windows.server.sbs)
  • Re: Another security question/issue.
    ... Time to audit your server and workstations with AV, Malware, and installed ... Logon Process: Advapi ... Caller User Name: servername$ ... Source Port: - ...
    (microsoft.public.windows.server.sbs)