UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / Security Log / 529 - Logon Failure - Unknown user name or bad password

Secutiry incidents due to logon type 3

cportuguez — Wed, 14 Dec 2011 16:40:08 GMT

Hello folks, we have a security log management solution but we are receiving tons of alerts regarding event id 529 with logon type 3. After investigation we find out that in all the cases is because a computer is having problems to connect with AD or because support use the local Administrator to patch systems or perform other kind of maintenance, and since we have Active Directory every time a no valid user tries to access Internet it causes access denied because this user is not a valid domain user.

So my question is there a possible scenario where logon type 3 might represent a real force attack against one of my servers?

Regards

Event ID 529 Only Comes with Logon Type and Logon Process the rest is blanck

cportuguez — Tue, 08 Nov 2011 13:32:07 GMT

Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -

Can somebody help me to identify why almost all the information is missing on this event. This event is happening on a DC and these events are happening very often.

How can I identify what user is causing the failed attempts, what IP is using, etc?????

Event ID 529 logged with little detail

richard.hart@barclays.com — Mon, 22 Mar 2010 05:49:50 GMT

I am getting 529 events logged on my Windows 2003 servers, but they only information they have is the reason of "Unknown user name or bad password" , that it is a type 3 (network) logon, Logon process is Kerberos and the authentication package is Kerberos.

Any ideas what could cause this or how I could get more details?

529 & 680 logged every 8 hours on DC

simplifi — Mon, 13 Jun 2011 18:30:35 GMT

I'm seeing a pair of event id 529 failure audits logged exactly every 8 hours (to the second) on my primary DC (2003), but I cannot figure out what is causing it (i.e. what or who is trying to logon).

The 'user name' identified by the 529 event is a domain admin (user) account. It is 'logon type:3' so it's trying to connect to a network share or IIS. The 'logon process' is "advapi" (Windows advanced API?).
'workstation name' is the name of the PDC this event was logged on. 'caller user name' is the "machine account" for the PDC (i.e. the same computer name with $ at the end). I was thinking 'workstation name' was the machine that logged the event (the target) and 'caller name' was the "source" machine, but 'source network address' in this case is the IP of a (backup) DC (also 2003). So, I guess I'm not understanding what these fields are referring to.
'caller process id' points to lsass.exe--assuming this process id is referring to the PDC in this case. I've observed no process with that id on on the machine identified by the source network address (the backup DC). Is 'caller process id' the process id on the target machine that the source user/machine is using? or the process id on the source machine? FYI: the 'caller process id' is always the same ("544").
Two "Failure Audit" Event ID 680 events occur at the exact same time as the 529 events, every time they are logged. These events show the 'logon account' is the same as the 'user name' in the 529 events. The 'source workstation' is the same as the 'workstation name in the 529 events. The error code is 0xC000006A. I understand this means the user is successfully authenticated via NTLM instead of Kerberos, but I still can't figure out what is triggering these event log entries.

Can you tell me where else to look?

SAMPLE EVENT ID: 529

logon failure:
reason:unknown user name or bad password
user name:admin_sun
domain:suntech
logon type:3
logon process:advapi
authentication package:negotiate
workstation name:sundata
caller user name:sundata$
caller domain:suntech
caller logon id:(0x0,0x3e7)
caller process id:544
transited services:-
source network address:10.129.10.27
source port:9405 [THE PORTS APPEAR TO BE RANDOM, ALTHOUGH EACH PAIR OF EVENTS USES PORTS 2 APPART: e.g. 9405 & 9407, 56748 & 56750, etc.]

SAMPLE EVENT ID: 680

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: admin_vapor
Source Workstation: VAPORDATA
Error Code: 0xC000006A

Event ID 529 with username : User and SYSTEM

phoenixsecure — Tue, 10 May 2011 14:11:46 GMT

Hi,

I am getting many logs (From my 2003 DC) with Event ID 529 that have username : [b]User [/b]and Caller username : [b]SYSTEM[/b]. Anyone have any idea what generate that?

Thanks.

Cannot corelate Caller Logon ID which is in Hex

cstaubin — Mon, 21 Mar 2011 10:44:41 GMT

I have multiple instances of a 529 type 3 happening in Win 2003 svr. I cannot leverage the little information that is availible in the event properties.

Caller Logon ID: (0x0,0x3E7)

Is there a ref somewhere that matches up this hex to process or user account?

Thanks for and advice you may have.

-C

Workstation Names in LOG

Darryl — Thu, 18 Mar 2010 12:55:43 GMT

HI Ive been trying to work out what this means for a while now, not found anything online about it at all. All logonTypes i get are logon type3 no idea why i dont see any other type apart from 0. I am all so trying to work out why most the logonfailures are logged when attempting to access \\TMP Workstation. Im guessing TMP stands for Temp possibly network share?

source network address

southside_steve — Tue, 10 Nov 2009 11:26:12 GMT

Is there any way to get XP Pro to log the source network address in event 529 - or in another event? I am logging event 529 but there is no source IP address shown.

Logon types question

jwalzer — Mon, 24 Aug 2009 14:51:19 GMT

Randy,

Currently we are using GFI for event log management and when I run a report on 'Failed Logins' pulling from event ID 529, under 'logon type' 99.9% of them show as 'Network'. If I run a report looking for 'interactive' there are none. Any idea why the majority of failed logins under event ID 529 show up as 'Network' with very little listed as 'interactive'?

Thanks

Event on DCs when unknown password is used

alex.fischer — Wed, 16 Sep 2009 09:47:22 GMT

Randy,

I want to document the use of wrong password during the try-to-logon-process initiated on a Member Server (or Client Computer) when the user uses its domain account. I thought, that 529 will be logged on security event log on DC but it isn't so. Could you please tell me how I will be able to document the occurence of wrong password while a users is trying to log on at a member server or workstation with his domain account?

Thanks in advance.

Alex

not logging 529 errors

cmpyx — Tue, 09 Jun 2009 09:47:35 GMT

Randy,

I have created a GPO in which I am logging both successful and failure for 'Audit account logon events' and 'Audit logon events'. I am distributing this GPO to all DC's and member servers. I deliberately tried to logon to a DC with an incorrect password for the domain Administrator account, but for some reason I am not logging any 529's on the DC or any other DC. What am I doing wrong?