Event ID 529 logged with little detail Expand / Collapse
Author
Message
Posted 3/22/2010 5:49:50 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/22/2010 5:42:28 AM
Posts: 1, Visits: 1
I am getting 529 events logged on my Windows 2003 servers, but they only information they have is the reason of "Unknown user name or bad password" , that it is a type 3 (network) logon, Logon process is Kerberos and the authentication package is Kerberos.

Any ideas what could cause this or how I could get more details?

Post #343
Posted 3/25/2010 8:42:53 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
it simply means someone is trying to logon over the network, probably to a shared folder, with either a bad username or bad password.
Post #344
Posted 10/11/2011 11:49:25 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/20/2011 2:39:11 PM
Posts: 4, Visits: 0
Hi

I noticed similar events on my DC. This is an example of event ID 529 which is logged countless times:

Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain: xxxxx
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -


I also noticed event ID 680 on the DC:

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account:
Source Workstation:
Error Code: 0xC0000064


According to Randy's encyclopedia, 0xC0000064 means "user name does not exist". As far as I know, NTLM is only used for Windows 2000 machines (which is not the case) or if a local user account is used.

How can I find out where this is coming from if no source IP, source workstation or user name is logged?

Thanks
Stefan
Post #815
Posted 10/13/2011 6:02:11 PM
Genius

GeniusGeniusGeniusGeniusGeniusGeniusGeniusGenius

Group: Forum Members
Last Login: 12/22/2011 4:55:21 PM
Posts: 12, Visits: 3
Hi,

Check this post http://forum.ultimatewindowssecurity.com/FindPost813.aspx

Javier

Post #818
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 3:42am

Upcoming Webinars
    Additional Resources