Remove From My Forums

machine authentication oddity

Question
0

Sign in to vote

I'm seeing AD Authentication Failed messages in the console for systems that should trigger that alert. However, the alert description is showing a %%5 every time similar to below -

The session setup from the computer XYZZY failed to authenticate. The following error occurred: %%5

I've got ADMP 6.0.6452, but this hasn't happened until recently. The only changes prior to this starting to occur was setting up a newer DC as a proxy agent that hadn't been set previously and applying the latest batch of MS OS-related patches from the last couple of patch Tuesdays. Any ideas?

-J.

Thursday, September 10, 2009 4:38 AM

Answers

0

Sign in to vote
Yep. It appears to be formatted normally. The event source is NETLOGON, the Event Id 5805, and the text is -

The session setup from the computer XYZZY-PC failed to authenticate. The following error occurred:

Access is denied.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I do remember similar alerts showing 'Access is denied' in the past. I'm not sure why it would be problematic now. The data for the alert is as follows:

0000: c0000022
- Marked as answer by .Anders BengtssonMicrosoft employee Monday, November 23, 2009 10:23 PM
Friday, September 11, 2009 4:43 AM

All replies

0

Sign in to vote

Hi,
Which rule generate these alerts? If you look at the rule, which event does it look for?
Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se

Thursday, September 10, 2009 7:13 AM
0

Sign in to vote

The rule that's generating them is 'The AD Account Authentication Failures Report has data available'

The expressions its checking from the System log are -

Event Source Equals Netlogon
Event ID Matches OpsMgr 2005 boolean regular expressions ^(5805)$

Thursday, September 10, 2009 7:24 AM
0

Sign in to vote

If you look at the source server, is the event normal formatted, the event that triggered the alert?

--

Anders Bengtsson
Microsoft MVP - Operations Manager
www.contoso.se

Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se

Thursday, September 10, 2009 7:19 PM
0

Sign in to vote
Yep. It appears to be formatted normally. The event source is NETLOGON, the Event Id 5805, and the text is -

The session setup from the computer XYZZY-PC failed to authenticate. The following error occurred:

Access is denied.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I do remember similar alerts showing 'Access is denied' in the past. I'm not sure why it would be problematic now. The data for the alert is as follows:

0000: c0000022
- Marked as answer by .Anders BengtssonMicrosoft employee Monday, November 23, 2009 10:23 PM
Friday, September 11, 2009 4:43 AM
0

Sign in to vote

"Mark as Answer", no activity for a month. Feel free to re-open this
Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se

Monday, November 23, 2009 10:24 PM
0

Sign in to vote
Hello,

Any Info on this matter as I setup a rule with an alert on the event ID 5805 and I am getting also the %%5 and miss "Access is denied"

Thanks,

Dom

System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager
- Edited by Felyjos Wednesday, June 27, 2012 12:39 AM
Saturday, June 23, 2012 5:11 PM
0

Sign in to vote

?bump?
System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

Wednesday, June 27, 2012 12:39 AM
0

Sign in to vote

so, whats your solution?

Friday, March 21, 2014 2:19 AM
0

Sign in to vote

how to solve this? please advice

Friday, March 21, 2014 2:20 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

machine authentication oddity

Question

Answers

All replies