InstantForum.NET v4.1.4UltimateWindowsSecurity.com Forumhttp://forum.ultimatewindowssecurity.com/noreply@ultimatewindowssecurity.comTue, 07 Feb 2012 12:18:27 GMT20http://forum.ultimatewindowssecurity.com/Topic175-34-1.aspxI can't test it right now but my memory and knowledge of the difference between the 2 protocols says you may be right. However there should be a field in the 540 event that specifies the workstation IP address.Fri, 14 Aug 2009 07:39:28 GMTRandyFranklinSmithhttp://forum.ultimatewindowssecurity.com/Topic175-34-1.aspxHi,</P><P>I am doing audit review for my company. In a server I can see in the log for EID - 540 from which workstation the access is made.</P><P><U>Here I is the see log details</U>:</P><P>"Successful Network Logon: User Name: <STRONG>$nrddu</STRONG> Domain: sdap Logon ID: (0x0,0x5F637364) Logon Type: 3 Logon Process: <STRONG>NtLmSsp Authentication Package: NTLM Workstation Name</STRONG>: <STRONG>Htf1</STRONG></P><P>Here I can not see the same in the server :</P><P>"Successful Network Logon: User Name: <STRONG>$nrddu</STRONG> Domain: sdap Logon ID: (0x0,0x5F669D39) Logon Type: 3 Logon Process: <STRONG>Kerberos Authentication Package: Kerberos Workstation Name</STRONG>:</P><P>Is there any differnace in this NtLmSsp Authentication Package and Kerberos Authentication Package in capturing the logs...</P><P>Kishore</P><P><A href="mailto:kishoressk@rediffmail.com"></A> Fri, 14 Aug 2009 03:18:41 GMTkitchu25