Re: Bad login alerts

I have reviewed the links but do not find them intuitive as they refer to NT
and 2000 ?

"Teneo" <not@xxxxxxxx> wrote in message
Hello Robert

Thank you for your post.

I think there is a little confusion, I am aware of a RDP unsuccessful
attempt but my post was enquiring about the log entry with the DOC MAIL in
the security log.

I am wondering what type of connection my orignal example is as there is
very little information presented. My second example showed an
unsuccessful RDP connection which gives us alot of useful information and
I would like to add that an external unsuccessful RDP connection does give
the source network address. This has been very useful tracking down
infected server/pcs.

"Robert Li [MSFT]" <v-robeli@xxxxxxxxxxxxxxxxxxxx> wrote in message
Hi Sasha,

Thanks for sharing your wonderful experience here.

When a unsuccessful RWW or RDP logon occurs, Event ID 529 is recorded in
the Security log. In the logs, you can see the following content:

Logon Failure:
Reason: Unknown user name or bad password
User Name: DOC-MAIL$
Domain: DOC
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DOC-MAIL
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -

When your RDP to server from Internet, this is expected behavior, because
the firewall get rid of the information of Source Network Address,
Port and so on. When you RDP from internal, you can see Source Network
Address, Source Port, because the traffic doesn't pass firewall.

Logon Failure:
Reason: Unknown user name or bad password
User Name: aaaaaaaaa
Domain: SERVER
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: SERVER
Caller User Name: IUSR_SERVER

The RWW depends on IIS, all the logon attempt starts from IIS, not from
client workstation, so you can see the server is SERVER and user name is

I'd like to give you more information on the process NTLMSSP and Advapi.

NTLMSSP is a security support provider that is available on all versions
DCOM. It uses the Microsoft Windows NT LAN Manager (NTLM) protocol for
authentication. NTLM never actually transmits the user's password to the
server during authentication.

More info:


Process Advapi is triggered by a call to LogonUser; LogonUser calls
LsaLogonUser, and one of the arguments to LsaLogonUser, OriginName,
identifies the origin of the logon attempt.

More info:

How to troubleshoot Kerberos-related issues in IIS

Hope this helps.

If you have any concern on this issue, please don't hesitate to let me

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! -


This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the
newsgroups so that they can be resolved in an efficient and timely
You can locate the newsgroup here:

When opening a new thread via the web interface, we recommend you check
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check for regional support phone numbers.

Any input or comments in this thread are highly appreciated.


This posting is provided "AS IS" with no warranties, and confers no

<From: "Sasha" <news@xxxxxxxxxx>
<Subject: Bad login alerts
<Date: Thu, 16 Aug 2007 19:27:23 +0100
<Lines: 40
<X-Priority: 3
<X-MSMail-Priority: Normal
<X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
<X-RFC2646: Format=Flowed; Original
<Message-ID: <Ow4ZWMD4HHA.1824@xxxxxxxxxxxxxxxxxxxx>
<Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl
<Hi all
<If someone tries an ussuccesful RDP attempt on server much helpful info
<recorded, especially IP address.
<Seeing some login alerts of the below where limited info is recorded..
<this NtLMSsp logon process
<Logon Failure:
<Reason: Unknown user name or bad password
<User Name: DOC-MAIL$
<Domain: DOC
<Logon Type: 3
<Logon Process: NtLmSsp
<Authentication Package: NTLM
<Workstation Name: DOC-MAIL
<Caller User Name: -
<Caller Domain: -
<Caller Logon ID: -
<Caller Process ID: -
<Transited Services: -
<Source Network Address: -
<Source Port: -
<Username / Domain and workstation name have no relation to site where
<recorded this.
<I thought it maybe an RWW attempt but this gives:-
<Logon Failure:
<Reason: Unknown user name or bad password
<User Name: aaaaaaaaa
<Domain: SERVER
<Logon Type: 3
<Logon Process: Advapi
<Authentication Package: Negotiate
<Workstation Name: SERVER
<Caller User Name: IUSR_SERVER
<TIA, have a great day / night depending wherever you are... ;-)


Relevant Pages

    ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
  • Re: Event ID 529
    ... First is a hardware firewall that sits on the perimeter of your network and requires that your users give user names and passwords, different from those for the network. ... Sometimes the Logon Type is different, also the User Name can be ... Computer: <SERVER NAME> ... Caller User Name: $ ...
  • Re: Another security question/issue.
    ... Time to audit your server and workstations with AV, Malware, and installed ... Logon Process: Advapi ... Caller User Name: servername$ ... Source Port: - ...
  • Re: Logon 529 Errors
    ... Default SMTP Virtual Server properties-Access tab-Relay ... Connection filtering is different from what inna is attempting, ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ...
  • Re: Logon 529 Errors
    ... connection has been found on the black list, my DNS server ... Connection filtering is different from what inna is attempting, ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ...