Re: Bad login alerts

I have reviewed the links but do not find them intuitive as they refer to NT
and 2000 ?

"Teneo" <not@xxxxxxxx> wrote in message
Hello Robert

Thank you for your post.

I think there is a little confusion, I am aware of a RDP unsuccessful
attempt but my post was enquiring about the log entry with the DOC MAIL in
the security log.

I am wondering what type of connection my orignal example is as there is
very little information presented. My second example showed an
unsuccessful RDP connection which gives us alot of useful information and
I would like to add that an external unsuccessful RDP connection does give
the source network address. This has been very useful tracking down
infected server/pcs.

"Robert Li [MSFT]" <v-robeli@xxxxxxxxxxxxxxxxxxxx> wrote in message
Hi Sasha,

Thanks for sharing your wonderful experience here.

When a unsuccessful RWW or RDP logon occurs, Event ID 529 is recorded in
the Security log. In the logs, you can see the following content:

Logon Failure:
Reason: Unknown user name or bad password
User Name: DOC-MAIL$
Domain: DOC
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DOC-MAIL
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -

When your RDP to server from Internet, this is expected behavior, because
the firewall get rid of the information of Source Network Address,
Port and so on. When you RDP from internal, you can see Source Network
Address, Source Port, because the traffic doesn't pass firewall.

Logon Failure:
Reason: Unknown user name or bad password
User Name: aaaaaaaaa
Domain: SERVER
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: SERVER
Caller User Name: IUSR_SERVER

The RWW depends on IIS, all the logon attempt starts from IIS, not from
client workstation, so you can see the server is SERVER and user name is

I'd like to give you more information on the process NTLMSSP and Advapi.

NTLMSSP is a security support provider that is available on all versions
DCOM. It uses the Microsoft Windows NT LAN Manager (NTLM) protocol for
authentication. NTLM never actually transmits the user's password to the
server during authentication.

More info:


Process Advapi is triggered by a call to LogonUser; LogonUser calls
LsaLogonUser, and one of the arguments to LsaLogonUser, OriginName,
identifies the origin of the logon attempt.

More info:

How to troubleshoot Kerberos-related issues in IIS

Hope this helps.

If you have any concern on this issue, please don't hesitate to let me

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! -


This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the
newsgroups so that they can be resolved in an efficient and timely
You can locate the newsgroup here:

When opening a new thread via the web interface, we recommend you check
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check for regional support phone numbers.

Any input or comments in this thread are highly appreciated.


This posting is provided "AS IS" with no warranties, and confers no

<From: "Sasha" <news@xxxxxxxxxx>
<Subject: Bad login alerts
<Date: Thu, 16 Aug 2007 19:27:23 +0100
<Lines: 40
<X-Priority: 3
<X-MSMail-Priority: Normal
<X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
<X-RFC2646: Format=Flowed; Original
<Message-ID: <Ow4ZWMD4HHA.1824@xxxxxxxxxxxxxxxxxxxx>
<Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl
<Hi all
<If someone tries an ussuccesful RDP attempt on server much helpful info
<recorded, especially IP address.
<Seeing some login alerts of the below where limited info is recorded..
<this NtLMSsp logon process
<Logon Failure:
<Reason: Unknown user name or bad password
<User Name: DOC-MAIL$
<Domain: DOC
<Logon Type: 3
<Logon Process: NtLmSsp
<Authentication Package: NTLM
<Workstation Name: DOC-MAIL
<Caller User Name: -
<Caller Domain: -
<Caller Logon ID: -
<Caller Process ID: -
<Transited Services: -
<Source Network Address: -
<Source Port: -
<Username / Domain and workstation name have no relation to site where
<recorded this.
<I thought it maybe an RWW attempt but this gives:-
<Logon Failure:
<Reason: Unknown user name or bad password
<User Name: aaaaaaaaa
<Domain: SERVER
<Logon Type: 3
<Logon Process: Advapi
<Authentication Package: Negotiate
<Workstation Name: SERVER
<Caller User Name: IUSR_SERVER
<TIA, have a great day / night depending wherever you are... ;-)