Re: Logon Failures
- From: v-terliu@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
- Date: Mon, 13 Aug 2007 12:57:18 GMT
Hello Jesse,
Thank you for kind update.
Do you still get may 529 error? If there is not very much error in event
log about logon failures, it is OK. The logon fail is normal.
From the Server Performance report, we can see the error 537 shows theSource Network Address is a internal IP address, if you get many error
about this IP, please perform the following steps:
This behavior can happen when the machine password is not properly sync.
In order to reset the machine account password of a domain controller use:
NETDOM RESETPWD /Server:ServerName /UsedD:Administrator /PasswordD:*
The syntax of this command is:
NETDOM RESETPWD /Server:domain-controller /UserD:user /PasswordD:[password
| *]
NETDOM RESETPWD Resets the machine account password for the domain
controller
on which this command is run. Currently there is no support for resetting
the machine password of a remote machine or a member server. All parameters
must be specified.
/Server Name of a specific domain controller that should have its
machine account password reset.
/UserD User account used to make the connection with the domain
controller specified by the /Server argument.
/PasswordD Password of the user account specified with /UserD. A *
means
to prompt for the password
After completing the command, reboot the server.
Hope these steps will give you some help.
Thanks and have a nice day!
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| X-Tomcat-ID: 137795868
| References: <1186418138.003703.155640@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<1186504316.082071.3530@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: v-terliu@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
| Organization: Microsoft
| Date: Wed, 08 Aug 2007 10:07:50 GMT
| Subject: Re: Logon Failures
| X-Tomcat-NG: microsoft.public.windows.server.sbs
| Message-ID: <9ebG8Pa2HHA.4100@xxxxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Lines: 121
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:55158
| NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
|
| Hello Jesse,
|
| Thank you for kind update.
|
| The log 537 is come with 529, we have to resolve the 529 first. Then, the
| 537 will disappear.
|
| Additional, if you have ISA server 2004 on your SBS, you can look at all
| the event 529, if you find the "Source Network Address" are the same IP,
| you can create ISA access rule to block the traffic from the IP.
|
| Please open the ISA management console, navigate to Firewall Policy,
right
| click "Firewall Policy" and click New->Access Rule, then create a new
| access rule as following:
|
| Rule name: block attack traffic
|
| Rule Action: Deny
|
| Protocols: All outbound traffic
|
| Sources: The IP in the log
|
| Destination: Anywhere
|
| User Sets: All Users
|
| Then move this rule to the top and click Apply to save all the settings.
|
| I hope these steps will give you some help.
|
| Thanks and have a nice day!
|
| Best regards,
|
| Terence Liu(MSFT)
|
| Microsoft CSS Online Newsgroup Support
|
| Get Secure! - www.microsoft.com/security
|
| =====================================================
| This newsgroup only focuses on SBS technical issues. If you have issues
| regarding other Microsoft products, you'd better post in the
corresponding
| newsgroups so that they can be resolved in an efficient and timely
manner.
| You can locate the newsgroup here:
| http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
|
| When opening a new thread via the web interface, we recommend you check
the
| "Notify me of replies" box to receive e-mail notifications when there are
| any updates in your thread. When responding to posts via your newsreader,
| please "Reply to Group" so that others may learn and benefit from your
| issue.
|
| Microsoft engineers can only focus on one issue per thread. Although we
| provide other information for your reference, we recommend you post
| different incidents in different threads to keep the thread clean. In
doing
| so, it will ensure your issues are resolved in a timely manner.
|
| For urgent issues, you may want to contact Microsoft CSS directly. Please
| check http://support.microsoft.com for regional support phone numbers.
|
| Any input or comments in this thread are highly appreciated.
| =====================================================
|
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
| --------------------
| | From: JAH <jslost@xxxxxxxxx>
| | Newsgroups: microsoft.public.windows.server.sbs
| | Subject: Re: Logon Failures
| | Date: Tue, 07 Aug 2007 09:31:56 -0700
| | Organization: http://groups.google.com
| | Lines: 36
| | Message-ID: <1186504316.082071.3530@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| | References: <1186418138.003703.155640@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| | <F7LrseK2HHA.4100@xxxxxxxxxxxxxxxxxxxxxx>
| | NNTP-Posting-Host: 75.144.30.97
| | Mime-Version: 1.0
| | Content-Type: text/plain; charset="us-ascii"
| | X-Trace: posting.google.com 1186504318 31094 127.0.0.1 (7 Aug 2007
| 16:31:58 GMT)
| | X-Complaints-To: groups-abuse@xxxxxxxxxx
| | NNTP-Posting-Date: Tue, 7 Aug 2007 16:31:58 +0000 (UTC)
| | In-Reply-To: <F7LrseK2HHA.4100@xxxxxxxxxxxxxxxxxxxxxx>
| | User-Agent: G2/1.0
| | X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
..NET
| CLR 1.1.4322),gzip(gfe),gzip(gfe)
| | Complaints-To: groups-abuse@xxxxxxxxxx
| | Injection-Info: g12g2000prg.googlegroups.com; posting-host=75.144.30.97;
| | posting-account=ps2QrAMAAAA6_jCuRt2JEIpn5Otqf_w0
| | Path:
|
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed.
|
cw.net!cw.net!news-FFM2.ecrc.de!news.glorb.com!postnews.google.com!g12g2000p
| rg.googlegroups.com!not-for-mail
| | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:54993
| | X-Tomcat-NG: microsoft.public.windows.server.sbs
| |
| | Terence,
| |
| | Thank you for your assistance. I checked the Event sucurity logs and
| | determined the event ID is 529. This person tried a total of 10 times
| | within ten minutes to logon to our server with usernames,
| | administrator, admin, pos, and pos1. I am going to implement the
| | steps and hope to secure the server more. If you hae any additional
| | comments please let me know.
| |
| | I am also getting more logon errors daily, although not as
| | descriptive. Here is what the error is, are they related to the 529
| | logon attempts?:
| |
| | Security 537 8/6/2007 9:38 PM 34 *
| | Logon Failure:
| | Reason: An error occurred during logon
| | User Name:
| | Domain:
| | Logon Type: 3
| | Logon Process: Kerberos
| | Authentication Package: Kerberos
| | Workstation Name: -
| | Status code: 0xC000006D
| | Substatus code: 0xC0000133
| | Caller User Name: -
| | Caller Domain: -
| | Caller Logon ID: -
| | Caller Process ID: -
| | Transited Services: -
| | Source Network Address: -
| | Source Port: -
| |
| | Thank you,
| |
| | Jesse
| |
| |
|
|
.
- Follow-Ups:
- Re: Logon Failures
- From: Terence Liu [MSFT]
- Re: Logon Failures
- References:
- Logon Failures
- From: JAH
- Re: Logon Failures
- From: JAH
- Re: Logon Failures
- From: Terence Liu [MSFT]
- Logon Failures
- Prev by Date: SBS 2000 ISA 2000
- Next by Date: SBS2000 migration to Server 2003 (Not SBS)
- Previous by thread: Re: Logon Failures
- Next by thread: Re: Logon Failures
- Index(es):
Relevant Pages
|
