Event ID 537- NTLM logon errors on SBS 2003

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: "Simon" <anonymous@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Fri, 6 Nov 2009 10:16:10 +0100

---

Hi,

I get hundereds of event ID 537 during daytime in the security log of our
SBS Server 2003 (german version) with the statuscode 0x80090308 and
substatuscode 0x0. A search with google gave me some hints, that this
problem could be related to Trend Micro Worry Free Business Security 6.0.
The solutions provided did not helpyet. I did a fresh install of the trend
WFBS 6.0 last weekend without success. Could you please help me, how I could
pinpoint the workstation and the service causing the problem? The eventlog
does not show which workstation or service is causing the faild login. I am
even not shure if Trend Micro is the real problem.

Virus should not be the source of the problem. We did a scan of every
workstations with third party antivirus software, just to exclude it. The
problem starts during daytime, when the employees start to work and ends in
the evening. So I concluded the problem might be a workstation. The error
repeats itself every few minutes in bursts of say 5 to 6 attempts. This
gives me about 7'000 entries in the security log a day.

Any hints how to pinpoint the culprit workstation an service will be highly
appreciated

Regards
Simon



Ereignistyp: Fehlerüberw.
Ereignisquelle: Security
Ereigniskategorie: An-/Abmeldung
Ereigniskennung: 537
Datum: 06.11.2009
Zeit: 08:27:49
Benutzer: NT-AUTORITÄT\SYSTEM
Computer: SERVER
Beschreibung:
Fehlgeschlagene Anmeldung:
Grund: Während der Anmeldung ist ein Fehler aufgetreten.
Benutzername:
Domäne:
Anmeldetyp: 3
Anmeldevorgang: 
Authentifizierungspaket: NTLM
Name der Arbeitsstation:
Statuscode: 0x80090308
Substatuscode: 0x0
Aufruferbenutzername: -
Aufruferdomäne: -
Aufruferanmeldekennung: -
Aufruferprozesskennung: -
Übertragene Dienste: -
Quellnetzwerkadresse: -
Quellport: -


Weitere Informationen über die Hilfe- und Supportdienste erhalten Sie unter
http://go.microsoft.com/fwlink/events.asp.


.

---

• Follow-Ups:
  • RE: Event ID 537- NTLM logon errors on SBS 2003
    • From: "Robbin Meng [MSFT]"

• Prev by Date: Re: SBS2003: Email alias - separate into a different folder
• Next by Date: Re: SBS backup reminder
• Previous by thread: Report backup outcome
• Next by thread: RE: Event ID 537- NTLM logon errors on SBS 2003
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: a forensic question ... > findstring then do the same for any network drive access they have. ... > it the slave on a machine with Easy Recovery Pro installed. ... But she discovered that some important files on her workstation ... >> security log of the PDC? ... (comp.security.misc) Re: Why are my workstations changing their passwords? ... One question about the machines, are they cloned without sysprepping them? ... single workstation every 1-2 minutes. ... Always test ANY suggestion in a test environment before ... in the security log on all domain controllers for Event 565. ... (microsoft.public.windows.server.active_directory) Re: Event ID 560 Problem ... >Error 560s usually refer to object access. ... >whenever a user makes a connection to something out on ... >> this repeated event in my security log that I can't ... Whenever someone log off their workstation, ... (microsoft.public.win2000.security) Re: Security Event logs dont match ... I am not saying that the DC log is untrustworthy; ... The DC's log says that it was accessed remotely from his workstation from ... >> The primary domain controller security log says that Steve ... >> that time, but contains login info from that morning, and ... (microsoft.public.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2009-11