locked
Unknown user name or bad password for IUSR_machinename RRS feed

  • Question

  • I am getting error Unknown user name or bad password in security event log for SharePoint web application. We are using admin account for app pool and using NTLM

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 5/1/2012
    Time: 9:29:22 AM
    User: NT AUTHORITY\SYSTEM
    Computer: MachineName
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: IUSR_Machinename
    Domain:
    Logon Type: 8
    Logon Process: Advapi
    Authentication Package: Negotiate
    Workstation Name: MachineName
    Caller User Name: adminaccount
    Caller Domain: companydomain
    Caller Logon ID: (0x0,0x1B1C4)
    Caller Process ID: 3688
    Transited Services: -
    Source Network Address: -
    Source Port: -

    I tried run with Admin scripts and i

    Any help really appreciated.


    Sharepoint Analyst/Developer Pritesh Dhameliya

    Tuesday, May 1, 2012 2:29 PM

Answers

  • The CLR exception -code e0434f4d just mean that a clr exception was thrown, you should continue the execution. or you can just ignore the first chance exception per this Document.

    Thanks,


    Lambda Zhao

    TechNet Community Support

    Friday, May 4, 2012 9:08 AM

All replies

  • Hi PriteshPatel357

    The Logon Process Name ADVAPI indicates that API LogonUser/LogonUserEx is called. ADVAPI is the DLL for advanced windows api’s and is used in a lot of OS related code.

    The Logon Type 8 means that a network logon is performed and the password was sent over the network in clear text.

    So this event means that someone is trying to logon your computer with wrong username and password. Do you ever changed your password and forgot to update it to other computers?

    You may follow these steps to find out the reason:

    1. Find out what Process the id 3688 is
    2. You may use WinDBG and attach to the process 3688
    3. Set breakpoint on the API LogonUser entry and dump the Call Stack like this:(you should use public PDB files for DLL’s)
    bp ADVAPI32!LogonUserA "k 100;.time;g"

    1. You can find out clue to the logon action by the Call Stack. Such as keyword SMTP_CONNECTION means that someone is login on using SMTP message
    2. You may also use TCP tracer(e.g. wireshark) to find out which server is trying to logon.

    Please refer to these link for more information

    http://blogs.msdn.com/b/puneetgupta/archive/2007/08/20/unknown-username-or-bad-password-inetinfo-exe-advapi.aspx

    http://yashcare.blogspot.com/2008/05/solved-account-lockout-issue.html

    http://blogs.msdn.com/b/spatdsg/archive/2005/12/23/507103.aspx

    Hope that helps.

    Thanks,


    Lambda Zhao

    TechNet Community Support


    Wednesday, May 2, 2012 3:08 AM
  • it says auth package:negotiate. That is Kerberos. IM not 100% famaliar with these logs but that may be worth checking at least. That would be consistent with your error if you do not have an SPN registered and your web app is failing
    Wednesday, May 2, 2012 3:12 AM
  • Hi Lambda Zhao,

    This is very useful information.

    I followed your steps in WinDBG and get error description "CLR exception - code e0434f4d (first chance)". I didn't get solution for this error description.

    Do you get idea for this error message? Once again thank you for help. 

    Avatar of Lambda Zhao

    Lambda Zhao

    Wicresoft

    MSFT CSG

    455 Points810
    Recent Achievements
    First Helpful VoteCode Answerer IIForums Answerer II

    Sharepoint Analyst/Developer Pritesh Dhameliya

    Wednesday, May 2, 2012 3:12 PM
  • The CLR exception -code e0434f4d just mean that a clr exception was thrown, you should continue the execution. or you can just ignore the first chance exception per this Document.

    Thanks,


    Lambda Zhao

    TechNet Community Support

    Friday, May 4, 2012 9:08 AM