none
Help with Kerberos Authentication Error Event ID 529

    Question

  • I have a Server 2003 Enterprise R2 server structure with Windows 7 Enterprise clients. This is an air gap network so I am unable to post logs (nor transfer logs via removable media).

    At some point today, domain users (all users are domain members) were being denied access to network shares. They are able to authenticate with the DC, but their profiles do not load (roaming), and they are denied access to any shared folder despite having NTFS and share permission rights.

    On the file server, which delivers their profile and hosts shares, event ID 529 is recorded, "unknown user name or bad password".

    I created a share on a different server, gave domain users full sharing rights and read/execute permissions and the response indicates the share is inaccessible or the user may have restricted access rights.

    This does not affect domain administrators, they are able to access the same resources users are denied access to. I don't know if any sort of change was made in group policy, but there was never anything changed intentionally that would have created this.

    If anyone knows what the resolution could be or offer any things to check, your assistance would be hugely appreciated.

    Tuesday, August 27, 2013 9:03 PM

Answers

  • I thank you very much for the advice and assistance.

    After much work on this, I discovered the problem. This file server was set up as a print server. At some point an error occurred with the print spooler service. This caused the security event log to completely fill. We are required to set: Audit: Shut down system immediately if unable to log security audits = enabled. So this caused users to be denied services when the security log reached maximum.

    Normally, an administrator would then simply log on, archive and clear the logs, then user services are restored, but something with respect to group policy on this server would not clear and allow user access.

    After removing domain policy controlling audit logs, several force updates to policy, restarts and removing and returning to domain membership, the shut down policy remained in enabled status and was greyed out and could not be changed even when the server was removed from the domain.

    I did an RSOP for a domain user and it showed Audit: Shut down system immediately if unable to log security audits = enabled, but no policy object enforcing it!

    Eventually I found that the registry value HKLM\System\CurrentControlSet\Control\LSA\crashonauditfail was set to a DWORD 2, and this was the source of the problem (its value is set according to the policy setting above). Following another issue someone had dealt with concerning this same problem, the recommendation was to delete the above key value, restart the server, recreate the key value and set a DWORD value of 1, and then services were restored to users.

    So when users were being denied services to this server due to a hang up in the group policy concerning filled security logs, it recorded a Kerberos related Event ID 529 "unknown user or bad password". I'm not sure if that's expected behavior or peculiar to my server and its issue.

    I want to thank you again for your efforts and time to provide me with troubleshooting advice. Very much appreciated.

    • Proposed as answer by Jesper Arnecke Wednesday, August 28, 2013 9:30 PM
    • Marked as answer by Highspeedlane Wednesday, August 28, 2013 9:34 PM
    Wednesday, August 28, 2013 9:26 PM

All replies

  • Hi,

    Based on your description, some users in your domain were able to logon, but their roaming user profiles didn’t load, and these users couldn’t access to shared folder, right?

    Could you please tell us how many domain users have encountered this failure? Were the passwords of these users expired or changed after logon?

    Normally, Event ID 529 indicates a audit failure which caused by using an unknown user account or a valid user account with an incorrect password.

    Please log off from the computer, then logon using valid domain user name and password to see if the problem still exists.

    We need more information to analyze this issue properly, could you please post out more specific error messages and event logs?

    Here are some links below about Event ID 529:

    Event ID 529

    http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=529&EvtSrc=Security&LCID=1033

    Security Event 529 is logged for local user accounts

    http://support.microsoft.com/kb/811082

    Kerberos Event ID: 529 is logged when you use a local user account to verify security access or group membership on a Windows Server 2003-based Kerberos client

    http://support.microsoft.com/kb/890477

    Event ID 529 appears every 3-10 minutes with changing caller process id

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/f3e591bb-c9b2-4250-93c2-e6475b19a80a/event-id-529-appears-every-310-minutes-with-changing-caller-process-id

    Best Regards,

    Amy Wang
    Wednesday, August 28, 2013 9:33 AM
  • As Amy writes, 

    make sure there are no old sessions on DC or server. If users persistently use Disconnect rather than log off, this could cause some annoying issues.

    Wednesday, August 28, 2013 10:24 AM
  • I thank you very much for the advice and assistance.

    After much work on this, I discovered the problem. This file server was set up as a print server. At some point an error occurred with the print spooler service. This caused the security event log to completely fill. We are required to set: Audit: Shut down system immediately if unable to log security audits = enabled. So this caused users to be denied services when the security log reached maximum.

    Normally, an administrator would then simply log on, archive and clear the logs, then user services are restored, but something with respect to group policy on this server would not clear and allow user access.

    After removing domain policy controlling audit logs, several force updates to policy, restarts and removing and returning to domain membership, the shut down policy remained in enabled status and was greyed out and could not be changed even when the server was removed from the domain.

    I did an RSOP for a domain user and it showed Audit: Shut down system immediately if unable to log security audits = enabled, but no policy object enforcing it!

    Eventually I found that the registry value HKLM\System\CurrentControlSet\Control\LSA\crashonauditfail was set to a DWORD 2, and this was the source of the problem (its value is set according to the policy setting above). Following another issue someone had dealt with concerning this same problem, the recommendation was to delete the above key value, restart the server, recreate the key value and set a DWORD value of 1, and then services were restored to users.

    So when users were being denied services to this server due to a hang up in the group policy concerning filled security logs, it recorded a Kerberos related Event ID 529 "unknown user or bad password". I'm not sure if that's expected behavior or peculiar to my server and its issue.

    I want to thank you again for your efforts and time to provide me with troubleshooting advice. Very much appreciated.

    • Proposed as answer by Jesper Arnecke Wednesday, August 28, 2013 9:30 PM
    • Marked as answer by Highspeedlane Wednesday, August 28, 2013 9:34 PM
    Wednesday, August 28, 2013 9:26 PM
  • Hi,

    Thank you very much for your sharing!

    This solution will help lots of people who have similar issues.

    Please feel free to ask us if there are any problems in the future.

    Best Regards,

    Amy Wang
    Thursday, August 29, 2013 12:56 AM