Guest Super Boobahlicious Posted July 6, 2007 Posted July 6, 2007 I have so many events in Failure Audit logs lately. I know that this type of event is not necessarily directing to login to local machine. However I still don't understand how this sessions are interpreted by the system as if the machine is trying to log into the system?? eventhough not.. Any valid useful explanation?? Event is 529 Login Failure Reason: Unknown user name or Password User Name: mytest Domain:SErver_app Logon Type:3 Logon Process: NTLMssP Workstation Name:mytest Quote
Guest Roger Abell [MVP] Posted July 6, 2007 Posted July 6, 2007 "Super Boobahlicious" <SuperBoobahlicious@discussions.microsoft.com> wrote in message news:33EB53AA-2089-4260-A7B8-26EA7EE52D88@microsoft.com... >I have so many events in Failure Audit logs lately. I know that this type > of event is not necessarily directing to login to local machine. > > However I still don't understand how this sessions are interpreted by the > system as if the machine is trying to log into the system?? eventhough > not.. > > Any valid useful explanation?? > > Event is 529 > Login Failure > Reason: Unknown user name or Password > User Name: mytest > Domain:SErver_app > Logon Type:3 > Logon Process: NTLMssP > Workstation Name:mytest > > For this event you asked > Any valid useful explanation?? and of course there is. This shows that there is some process on machine "mytest" that is attempting to do a network login to the machine where this event is recorded using an account server_app\mytest (which is an admin/user defined account, not the machine itself which would appear as server_app\mytest$ ) and this shows the login attempts are failingl Examine that machine's running processes and also look for traces of that domain principal. If the here all important missing $ in the account name is due to your having edited the event message, then provide the actual unedited message - little changes can make big changes in meaning. Quote
Guest Super Boobahlicious Posted July 9, 2007 Posted July 9, 2007 Roger thank you for the feedback. Here is the unedited version in one of the failures.. Can you please more a bit.. I'm kinda of confuse? How come this server is also intercepting all login failures.. Even though not address to himself?? Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM My-server-FS "Logon Failure: Reason: Unknown user name or bad password User Name: Dell Domain: DVDZ1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: DVDZ1 " "Roger Abell [MVP]" wrote: > "Super Boobahlicious" <SuperBoobahlicious@discussions.microsoft.com> wrote > in message news:33EB53AA-2089-4260-A7B8-26EA7EE52D88@microsoft.com... > >I have so many events in Failure Audit logs lately. I know that this type > > of event is not necessarily directing to login to local machine. > > > > However I still don't understand how this sessions are interpreted by the > > system as if the machine is trying to log into the system?? eventhough > > not.. > > > > Any valid useful explanation?? > > > > Event is 529 > > Login Failure > > Reason: Unknown user name or Password > > User Name: mytest > > Domain:SErver_app > > Logon Type:3 > > Logon Process: NTLMssP > > Workstation Name:mytest > > > > > > For this event you asked > > Any valid useful explanation?? > and of course there is. > > This shows that there is some process on machine "mytest" > that is attempting to do a network login to the machine where > this event is recorded using an account server_app\mytest > (which is an admin/user defined account, not the machine > itself which would appear as server_app\mytest$ ) and this > shows the login attempts are failingl > > Examine that machine's running processes and also look > for traces of that domain principal. > If the here all important missing $ in the account name is > due to your having edited the event message, then provide > the actual unedited message - little changes can make big > changes in meaning. > > > > > > Quote
Guest Roger Abell [MVP] Posted July 10, 2007 Posted July 10, 2007 "Super Boobahlicious" <SuperBoobahlicious@discussions.microsoft.com> wrote in message news:BCD43873-B032-4FBD-B0D4-89A4B7098F5D@microsoft.com... > Roger thank you for the feedback. > > Here is the unedited version in one of the failures.. > Can you please more a bit.. I'm kinda of confuse? > > How come this server is also intercepting all login failures.. Even though > not address to himself?? > Hi Boobahlicious, I do not know why you say "even though not addressed to himself". If the event appears in non-DC ServerA's security event log then the event is about an attempt to log into ServerA. The event mentions a Domain of the attempted account and a Workstation (in this case they are the same) which are info about the account and the origin machine. As these are the same in this new example, this is saying that an account named Dell defined on machine DVDZ1 tried access from machine DVDZ1. An event like this can happen if someone just tries to open up a share seen in network neighborhood while logged in with a machine local account (DVDZ1\Dell). Roger > Security Failure Audit Logon/Logoff 529 NT > AUTHORITY\SYSTEM My-server-FS "Logon Failure: > Reason: Unknown user name or bad password > User Name: Dell > Domain: DVDZ1 > Logon Type: 3 > Logon Process: NtLmSsp > Authentication Package: NTLM > Workstation Name: DVDZ1 " > > > > > "Roger Abell [MVP]" wrote: > >> "Super Boobahlicious" <SuperBoobahlicious@discussions.microsoft.com> >> wrote >> in message news:33EB53AA-2089-4260-A7B8-26EA7EE52D88@microsoft.com... >> >I have so many events in Failure Audit logs lately. I know that this >> >type >> > of event is not necessarily directing to login to local machine. >> > >> > However I still don't understand how this sessions are interpreted by >> > the >> > system as if the machine is trying to log into the system?? eventhough >> > not.. >> > >> > Any valid useful explanation?? >> > >> > Event is 529 >> > Login Failure >> > Reason: Unknown user name or Password >> > User Name: mytest >> > Domain:SErver_app >> > Logon Type:3 >> > Logon Process: NTLMssP >> > Workstation Name:mytest >> > >> > >> >> For this event you asked >> > Any valid useful explanation?? >> and of course there is. >> >> This shows that there is some process on machine "mytest" >> that is attempting to do a network login to the machine where >> this event is recorded using an account server_app\mytest >> (which is an admin/user defined account, not the machine >> itself which would appear as server_app\mytest$ ) and this >> shows the login attempts are failingl >> >> Examine that machine's running processes and also look >> for traces of that domain principal. >> If the here all important missing $ in the account name is >> due to your having edited the event message, then provide >> the actual unedited message - little changes can make big >> changes in meaning. >> >> >> >> >> >> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.