WSS 3.0 Search Service Account Event ID 537 Logon Failure

Ask a question

Thursday, March 08, 2007 2:45 PM

0

Sign In to Vote

I have the search service configured on our SharePoint 3.0 system and it is working perfectly. I am able to search everything (lists, documents, etc) and it works as one would think it should. The only problem is that every time any change is made to any of the site's content the SharePoint server logs several (usually 8) failure events as shown below. As you can imagine this is logging thousands of failure events per day.

EVENT LOG Security
EVENT TYPE Audit Failure
SOURCE Security
CATEGORY Logon/Logoff
EVENT ID 537
USERNAME NT AUTHORITY\SYSTEM
COMPUTERNAME <removed server name>
TIME 2/27/2007 11:05:24 AM
MESSAGE Logon Failure:
Reason: An error occurred during logon
User Name: <removed SharePoint search service domain account>
Domain: <removed domain name>
Logon Type: 3
Logon Process: ¬øê
Authentication Package: NTLM
Workstation Name: <removed server name>
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: <removed IP address>
Source Port: 0

The newly added items are in fact being added to the search because I can immediately (within a minute or two) search for keywords in the documents and they are returned in the search listing. I have researched this particular error code and evidently the code 0xC000006D denotes "The attempted logon is invalid due to a bad user name". But if that were true then wouldn't the search service be failing completely? And what is the garbage in the Logon Process?

I have verified that the search service account is correct and that the password is correct. I have logged into the SharePoint and SQL servers as the search service account to ensure that the username and password work. I have even tried making the search service account a domain admin and a sys admin on the SQL server with dbo rights to all SharePoint databases. Nothing I try will make this error go away. Any ideas?
- Reply
- Quote

All Replies

Tuesday, July 03, 2007 4:26 PM

0

Sign In to Vote

Interesting, I am having the exact same problem down to the strange charactors in the Logon Process field. Any help resolving this would be great.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date:  7/3/2007
Time:  9:05:07 AM
User:  NT AUTHORITY\SYSTEM
Computer: <SharePoint server name>
Description:
Logon Failure:
  Reason:  An error occurred during logon
  User Name: <Sharepoint Search User>
  Domain:  <Domain Removed>
  Logon Type: 3
  Logon Process: š|”ðæ
  Authentication Package: NTLM
  Workstation Name: <SP Server>
  Status code: 0xC000006D
  Substatus code: 0x0
  Caller User Name: -
  Caller Domain: -
  Caller Logon ID: -
  Caller Process ID: -
  Transited Services: -
  Source Network Address: <removed>

Source Port: 0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
- Reply
- Quote
Tuesday, July 03, 2007 6:38 PM

0

Sign In to Vote

This may not help but do you have Kerberos configured on your network? If so, do you have valid SPNs configured for your SP server? I noticed from your event log that you have NTLM set. I get similar errors when there is a Kerberos SPN issue.

I hope this helps....

Shola.
- Reply
- Quote
Friday, April 18, 2008 3:11 AM

0

Sign In to Vote

Did you ever find a solution for this? I am facing the same issue.
- Reply
- Quote
Sunday, July 06, 2008 7:33 PM

2

Sign In to Vote
OK guys, heres the fix:

Method 1: Disable the loopback check

Follow these steps:1. Click Start, click Run, type regedit, and then click OK.

2. In Registry Editor, locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

3. Right-click Lsa, point to New, and then click DWORD Value.

4. Type DisableLoopbackCheck, and then press ENTER.

5. Right-click DisableLoopbackCheck, and then click Modify.

6. In the Value data box, type 1, and then click OK.

7. Quit Registry Editor, and then restart your computer.

Method 2: Specify host names

To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:1. Click Start, click Run, type regedit, and then click OK.

2. In Registry Editor, locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

3. Right-click MSV1_0, point to New, and then click Multi-String Value.

4. Type BackConnectionHostNames, and then press ENTER.

5. Right-click BackConnectionHostNames, and then click Modify.

6. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.

7. Quit Registry Editor, and then restart the IISAdmin service.

Personally use method 1 first and see how you get on. Worked like a charm for me.

Lookup KB896861 for more information
- Proposed As Answer by djn486 Friday, June 05, 2009 1:33 AM
- Reply
- Quote
Tuesday, November 29, 2011 2:44 PM

0

Sign In to Vote

Thanks that fixed it for me. I had the exact same symptoms. It took me ages to get to this page, so I am very grateful!
- Reply
- Quote

WSS 3.0 Search Service Account Event ID 537 Logon Failure

All Replies

Products

Resources

Solutions

Downloads

Evals

Tools

TechNet Support

Microsoft Support