Re: Bad login alerts
- From: v-mzhuan@xxxxxxxxxxxxxxxxxxxx (Manfred Zhuang [MSFT])
- Date: Tue, 21 Aug 2007 13:42:00 GMT
Hello Sasha,
Thank you for your reply and I am sorry for the delay.
My colleague Robert currently is out of office and I will step in this
thread.
From your post, I understand that you would like to know what behaviorcaused the log you posted:
Logon Failure:
Reason: Unknown user name or bad password
User Name: DOC-MAIL$
Domain: DOC
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DOC-MAIL
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
Please understand that when you join a computer to a domain, a
computername$ account is created. (For your computer is DOC-MAIL$).
There are several running processes on the SBS server that will attempt to
connect using the machine account. One of the most active is the Microsoft
Exchange Routing Engine.
This behavior can happen when the machine password is not properly sync.
Let's perform following step to reset the machine account password of a
domain controller:
NETDOM RESETPWD /Server:ServerName /UsedD:Administrator /PasswordD:*
For example:
NOTE: Please run the command on the server named DOC-MAIL
NETDOM RESETPWD /Server:DOC-MAIL /UsedD:Administrator
/PasswordD:ThePasswordForAdministratorAccount
After that, please restart the server.
Please try the above steps at your earliest convenience. If you have any
concern, please feel free to let me know.
Best regards,
Manfred Zhuang(MSFT)
Microsoft Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Teneo" <not@xxxxxxxx>
| References: <Ow4ZWMD4HHA.1824@xxxxxxxxxxxxxxxxxxxx>
<7IC5mTM4HHA.2340@xxxxxxxxxxxxxxxxxxxxxx>
<#wP2mpN4HHA.3684@xxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Bad login alerts
| Date: Fri, 17 Aug 2007 15:39:13 +0100
| Lines: 203
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
| X-RFC2646: Format=Flowed; Response
| Message-ID: <ObDVgxN4HHA.4436@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: mail.sxcomputers.co.uk 217.34.35.237
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:57211
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I have reviewed the links but do not find them intuitive as they refer to
NT
| and 2000 ?
|
|
| "Teneo" <not@xxxxxxxx> wrote in message
| news:%23wP2mpN4HHA.3684@xxxxxxxxxxxxxxxxxxxxxxx
| > Hello Robert
| >
| > Thank you for your post.
| >
| > I think there is a little confusion, I am aware of a RDP unsuccessful
| > attempt but my post was enquiring about the log entry with the DOC MAIL
in
| > the security log.
| >
| > I am wondering what type of connection my orignal example is as there
is
| > very little information presented. My second example showed an
| > unsuccessful RDP connection which gives us alot of useful information
and
| > I would like to add that an external unsuccessful RDP connection does
give
| > the source network address. This has been very useful tracking down
| > infected server/pcs.
| >
| >
| >
| >
| > "Robert Li [MSFT]" <v-robeli@xxxxxxxxxxxxxxxxxxxx> wrote in message
| > news:7IC5mTM4HHA.2340@xxxxxxxxxxxxxxxxxxxxxxxxx
| >> Hi Sasha,
| >>
| >> Thanks for sharing your wonderful experience here.
| >>
| >> When a unsuccessful RWW or RDP logon occurs, Event ID 529 is recorded
in
| >> the Security log. In the logs, you can see the following content:
| >>
| >> Logon Failure:
| >> Reason: Unknown user name or bad password
| >> User Name: DOC-MAIL$
| >> Domain: DOC
| >> Logon Type: 3
| >> Logon Process: NtLmSsp
| >> Authentication Package: NTLM
| >> Workstation Name: DOC-MAIL
| >> Caller User Name: -
| >> Caller Domain: -
| >> Caller Logon ID: -
| >> Caller Process ID: -
| >> Transited Services: -
| >> Source Network Address: -
| >> Source Port: -
| >>
| >> When your RDP to server from Internet, this is expected behavior,
because
| >> the firewall get rid of the information of Source Network Address,
| >> Source
| >> Port and so on. When you RDP from internal, you can see Source Network
| >> Address, Source Port, because the traffic doesn't pass firewall.
| >>
| >> Logon Failure:
| >> Reason: Unknown user name or bad password
| >> User Name: aaaaaaaaa
| >> Domain: SERVER
| >> Logon Type: 3
| >> Logon Process: Advapi
| >> Authentication Package: Negotiate
| >> Workstation Name: SERVER
| >> Caller User Name: IUSR_SERVER
| >>
| >> The RWW depends on IIS, all the logon attempt starts from IIS, not from
| >> client workstation, so you can see the server is SERVER and user name
is
| >> IUSR_SERVER.
| >>
| >> I'd like to give you more information on the process NTLMSSP and
Advapi.
| >>
| >> NTLMSSP is a security support provider that is available on all
versions
| >> of
| >> DCOM. It uses the Microsoft Windows NT LAN Manager (NTLM) protocol for
| >> authentication. NTLM never actually transmits the user's password to
the
| >> server during authentication.
| >>
| >> More info:
| >>
| >> NTLMSSP
| >> http://msdn2.microsoft.com/en-us/library/ms691272.aspx
| >>
| >> Process Advapi is triggered by a call to LogonUser; LogonUser calls
| >> LsaLogonUser, and one of the arguments to LsaLogonUser, OriginName,
| >> identifies the origin of the logon attempt.
| >>
| >> More info:
| >>
| >> How to troubleshoot Kerberos-related issues in IIS
| >> http://support.microsoft.com/kb/326985
| >>
| >> Hope this helps.
| >>
| >> If you have any concern on this issue, please don't hesitate to let me
| >> know.
| >>
| >> Best regards,
| >>
| >> Robert Li(MSFT)
| >>
| >> Microsoft CSS Online Newsgroup Support
| >>
| >> Get Secure! - www.microsoft.com/security
| >>
| >> =====================================================
| >>
| >> This newsgroup only focuses on SBS technical issues. If you have issues
| >> regarding other Microsoft products, you'd better post in the
| >> corresponding
| >> newsgroups so that they can be resolved in an efficient and timely
| >> manner.
| >> You can locate the newsgroup here:
| >> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >>
| >> When opening a new thread via the web interface, we recommend you
check
| >> the
| >> "Notify me of replies" box to receive e-mail notifications when there
are
| >> any updates in your thread. When responding to posts via your
newsreader,
| >> please "Reply to Group" so that others may learn and benefit from your
| >> issue.
| >>
| >> Microsoft engineers can only focus on one issue per thread. Although we
| >> provide other information for your reference, we recommend you post
| >> different incidents in different threads to keep the thread clean. In
| >> doing
| >> so, it will ensure your issues are resolved in a timely manner.
| >>
| >> For urgent issues, you may want to contact Microsoft CSS directly.
Please
| >> check http://support.microsoft.com for regional support phone numbers.
| >>
| >> Any input or comments in this thread are highly appreciated.
| >>
| >> =====================================================
| >>
| >> This posting is provided "AS IS" with no warranties, and confers no
| >> rights.
| >>
| >> --------------------
| >> <From: "Sasha" <news@xxxxxxxxxx>
| >> <Subject: Bad login alerts
| >> <Date: Thu, 16 Aug 2007 19:27:23 +0100
| >> <Lines: 40
| >> <X-Priority: 3
| >> <X-MSMail-Priority: Normal
| >> <X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
| >> <X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
| >> <X-RFC2646: Format=Flowed; Original
| >> <Message-ID: <Ow4ZWMD4HHA.1824@xxxxxxxxxxxxxxxxxxxx>
| >> <Newsgroups: microsoft.public.windows.server.sbs
| >> <NNTP-Posting-Host: mail.sxcomputers.co.uk 217.34.35.237
| >> <Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
| >> <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:56935
| >> <X-Tomcat-NG: microsoft.public.windows.server.sbs
| >> <
| >> <Hi all
| >> <If someone tries an ussuccesful RDP attempt on server much helpful
info
| >> is
| >> <recorded, especially IP address.
| >> <Seeing some login alerts of the below where limited info is
recorded..
| >> Its
| >> <this NtLMSsp logon process
| >> <
| >> <Logon Failure:
| >> <Reason: Unknown user name or bad password
| >> <User Name: DOC-MAIL$
| >> <Domain: DOC
| >> <Logon Type: 3
| >> <Logon Process: NtLmSsp
| >> <Authentication Package: NTLM
| >> <Workstation Name: DOC-MAIL
| >> <Caller User Name: -
| >> <Caller Domain: -
| >> <Caller Logon ID: -
| >> <Caller Process ID: -
| >> <Transited Services: -
| >> <Source Network Address: -
| >> <Source Port: -
| >> <
| >> <Username / Domain and workstation name have no relation to site where
| >> server
| >> <recorded this.
| >> <
| >> <I thought it maybe an RWW attempt but this gives:-
| >> <Logon Failure:
| >> <Reason: Unknown user name or bad password
| >> <User Name: aaaaaaaaa
| >> <Domain: SERVER
| >> <Logon Type: 3
| >> <Logon Process: Advapi
| >> <Authentication Package: Negotiate
| >> <Workstation Name: SERVER
| >> <Caller User Name: IUSR_SERVER
| >> <
| >> <TIA, have a great day / night depending wherever you are... ;-)
| >> <
| >> <
| >> <
| >> <
| >>
| >
| >
|
|
|
.
- Follow-Ups:
- Re: Bad login alerts
- From: Sasha
- Re: Bad login alerts
- References:
- Bad login alerts
- From: Sasha
- RE: Bad login alerts
- From: Robert Li [MSFT]
- Re: Bad login alerts
- From: Teneo
- Re: Bad login alerts
- From: Teneo
- Bad login alerts
- Prev by Date: Re: Controlling of Client PCs Time Settings
- Next by Date: Re: (Dutch??) Outlook 2003/2007 deleting e-mails
- Previous by thread: Re: Bad login alerts
- Next by thread: Re: Bad login alerts
- Index(es):
Relevant Pages
|
