Problems with 529 Events
- From: luv2chill@xxxxxxxxx
- Date: 4 Feb 2007 16:22:35 -0800
Hello all SBS Gurus,
I've got a couple of different issues with 529 events stacking up in
my security event log on my SBS 2003 SP1 box. I am hoping to get these
both resolved because I know they're serious and I hate seeing them in
the server report I get every morning.
1. I think this is the easier of the two (but also the more
dangerous). I am seeing 529s apparently coming from over the internet.
Here's a sample:
Date: 2/1/2007 Source: Security
Time: 2:19:53 PM Category: Logon/Logoff
Type: Failure Aud Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: SBSSVR
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: MAILSERVER$
Domain: ADLDOMAIN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MAILSERVER
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
The user name, domain and workstation name are different each time and
are not any of mine. I have no wireless network and my physical
ethernet ports are secure so I assume these are coming in from over
the internet.
that I may be getting these because I have http (port 80) open on theFrom the research I have done in this group and elsewhere, it seems
firewall and forwarded to the SBS server (by the way my SBS server has
only one network card and is not using ISA. I do all of my port
security on the NAT firewall).
I do not host any public web sites on my SBS server, but I have kept
port 80 open to utilize the built-in http->https redirection built
into SBS so that my users don't have to remember to type https when
they connect to OWA. If I block port 80, that redirection can no
longer happen and typing https: is required.
So I guess I am asking is there any way to have the best of both
worlds? Can I keep port 80 open simply to do the redirection to https:
without my logs filling up with failed logon attempts from over the
net?
Just in case it's helpful the only other ports open are HTTPS/443, RWW/
4125, SMTP/25, and PPTP/1723.
2. I am also getting TONS of 529s coming from two XP Pro SP2
workstations on the domain. We have 20 other workstations (all
identical) and I have never seen any 529s from them. The two that have
this problem have been having strange sporadic problems with printing
to network printers shared from the SBS server (getting the error:
"There was an error when the printing started. Check the printer set-
up."). Usually that error resolves itself (i.e. later on in the day
the user is able to print without problems), but one time I was able
to fix it by deleting the printer and re-adding it (at which time it
prompted for that user's domain login, which I thought was odd).
Simply restarting and logging in again does not fix the problem.
The similarities between these two users (that I can think of) is that
they both tend to leave their machines logged-in each night (which can
sometimes present problems when user passwords expire) and both use
laptops to get their exchange mail with Outlook 2003's RPC over http
from home and when traveling.
I have read reports that 529s can appear due to machine passwords not
being in-sync, and that using the netdom resetpwd command on the SBS
server can fix it. But I am a little confused about the command line
options for that command--it asks for the server name, user name and
password as parameters. But if I am running this on the SBS box as
suggested, how does that solve the problem with the two workstations
with the problem? Does it just reset all machine passwords for all
workstations on the domain? And do I use my administrater user name or
the user names of the users with the problem machines?
Anyway, here is an example of one of these 529s:
Date: 2/1/2007 Source: Security
Time: 4:40:21 PM Category: Logon/Logoff
Type: Failure Aud Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: SBSSVR
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: bob
Domain: SBSSVR
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: 313WKS
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.113
Source Port: 4541
This is obviously coming from inside my network. The IP address and
workstation name match up with our workstations. That user name is the
name of the user who uses that workstation. The value it shows for
domain is not our domain name though--it's the host name of the SBS
server.
Anyway, I hope I have provided enough information to help you guys
understand what is going on here. I've been scratching my head over
this for a week or so and decided it was time to just ask for help.
Any input would be much appreciated.
Regards,
Dan
.
- Follow-Ups:
- RE: Problems with 529 Events
- From: Robert Li [MSFT]
- RE: Problems with 529 Events
- Prev by Date: Re: Transfer domain from 2003 SBS SP1 to 2003 SBS R2
- Next by Date: Re: excel error in SBS
- Previous by thread: installation WSS 3.0
- Next by thread: RE: Problems with 529 Events
- Index(es):
Relevant Pages
|
