locked
machine authentication oddity RRS feed

  • Question

  • I'm seeing AD Authentication Failed messages in the console for systems that should trigger that alert. However, the alert description is showing a %%5 every time similar to below -

        The session setup from the computer XYZZY failed to authenticate. The following error occurred: %%5

    I've got ADMP 6.0.6452, but this hasn't happened until recently. The only changes prior to this starting to occur was setting up a newer DC as a proxy agent that hadn't been set previously and applying the latest batch of MS OS-related patches from the last couple of patch Tuesdays. Any ideas?

    -J.
    Thursday, September 10, 2009 4:38 AM

Answers

  • Yep. It appears to be formatted normally. The event source is NETLOGON, the Event Id 5805, and the text is -

    The session setup from the computer XYZZY-PC failed to authenticate. The following error occurred:

    Access is denied.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    I do remember similar alerts showing 'Access is denied' in the past. I'm not sure why it would be problematic now. The data for the alert is as follows:

    0000: c0000022

    Friday, September 11, 2009 4:43 AM

All replies

  • Hi,
    Which rule generate these alerts? If you look at the rule, which event does it look for?
    Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se
    Thursday, September 10, 2009 7:13 AM
  • The rule that's generating them is 'The AD Account Authentication Failures Report has data available'

    The expressions its checking from the System log are -

    Event Source Equals Netlogon
    Event ID Matches OpsMgr 2005 boolean regular expressions ^(5805)$
    Thursday, September 10, 2009 7:24 AM
  • If you look at the source server, is the event normal formatted, the event that triggered the alert?

    --

    Anders Bengtsson
    Microsoft MVP - Operations Manager
    www.contoso.se

    Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se
    Thursday, September 10, 2009 7:19 PM
  • Yep. It appears to be formatted normally. The event source is NETLOGON, the Event Id 5805, and the text is -

    The session setup from the computer XYZZY-PC failed to authenticate. The following error occurred:

    Access is denied.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    I do remember similar alerts showing 'Access is denied' in the past. I'm not sure why it would be problematic now. The data for the alert is as follows:

    0000: c0000022

    Friday, September 11, 2009 4:43 AM
  • "Mark as Answer", no activity for a month. Feel free to re-open this
    Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se
    Monday, November 23, 2009 10:24 PM
  • Hello,

    Any Info on this matter as I setup a rule with an alert on the event ID 5805 and I am getting also the %%5 and miss "Access is denied"

    Thanks,

    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager


    • Edited by Felyjos Wednesday, June 27, 2012 12:39 AM
    Saturday, June 23, 2012 5:11 PM
  • ?bump?

    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    Wednesday, June 27, 2012 12:39 AM
  • so, whats your solution?
    Friday, March 21, 2014 2:19 AM
  • how to solve this? please advice
    Friday, March 21, 2014 2:20 AM