|
|
|
Forum Newbie
Group: Forum Members
Last Login: 3/22/2010 5:42:28 AM
Posts: 1,
Visits: 1
|
|
| I am getting 529 events logged on my Windows 2003 servers, but they only information they have is the reason of "Unknown user name or bad password" , that it is a type 3 (network) logon, Logon process is Kerberos and the authentication package is Kerberos. Any ideas what could cause this or how I could get more details?
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 324,
Visits: 0
|
|
| it simply means someone is trying to logon over the network, probably to a shared folder, with either a bad username or bad password.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 9/20/2011 2:39:11 PM
Posts: 4,
Visits: 0
|
|
Hi
I noticed similar events on my DC. This is an example of event ID 529 which is logged countless times:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain: xxxxx
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
I also noticed event ID 680 on the DC:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account:
Source Workstation:
Error Code: 0xC0000064
According to Randy's encyclopedia, 0xC0000064 means "user name does not exist". As far as I know, NTLM is only used for Windows 2000 machines (which is not the case) or if a local user account is used.
How can I find out where this is coming from if no source IP, source workstation or user name is logged?
Thanks
Stefan
|
|
|
|
|
Genius
Group: Forum Members
Last Login: 12/22/2011 4:55:21 PM
Posts: 8,
Visits: 3
|
|
|
|
|