UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / Security Log / 529 - Logon Failure - Unknown user name or bad password / Event ID 529 logged with little detail / Latest Posts

RE: Event ID 529 logged with little detail

JavierC — Thu, 13 Oct 2011 18:02:11 GMT

Hi,

Check this post http://forum.ultimatewindowssecurity.com/FindPost813.aspx

Javier

RE: Event ID 529 logged with little detail

stefan — Tue, 11 Oct 2011 11:49:25 GMT

Hi

I noticed similar events on my DC. This is an example of event ID 529 which is logged countless times:

[b]Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain: xxxxx
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -[/b]

I also noticed event ID 680 on the DC:

[b]Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account:
Source Workstation:
Error Code: 0xC0000064[/b]

According to Randy's encyclopedia, 0xC0000064 means "user name does not exist". As far as I know, NTLM is only used for Windows 2000 machines (which is not the case) or if a local user account is used.

How can I find out where this is coming from if no source IP, source workstation or user name is logged?

Thanks
Stefan

RE: Event ID 529 logged with little detail

RandyFranklinSmith — Thu, 25 Mar 2010 08:42:53 GMT

it simply means someone is trying to logon over the network, probably to a shared folder, with either a bad username or bad password.

Event ID 529 logged with little detail

richard.hart@barclays.com — Mon, 22 Mar 2010 05:49:50 GMT

I am getting 529 events logged on my Windows 2003 servers, but they only information they have is the reason of "Unknown user name or bad password" , that it is a type 3 (network) logon, Logon process is Kerberos and the authentication package is Kerberos.

Any ideas what could cause this or how I could get more details?