locked
Security alert Event ID: 529 Logon type: 3 RRS feed

  • Question

  • Logon Failure:
    Reason: Unknown user name or bad password
    User Name: susan (different every few mins)
    Domain:
    Logon Type: 3
    Logon Process: Advapi 
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name: pcname
    Caller User Name: username
    Caller Domain: our romain
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 9692
    Transited Services: -
    Source Network Address: -
    Source Port: -

    anyone have any idea what it could be on our server causing this? been happening for about a month on and off. 

    Tuesday, May 21, 2013 8:57 AM

Answers

  • These are "users" trying to sign in with a user/password combination that is not valid. the logon type indicates the "user" attempts to use a shared resource or service via the network (like a fileshare). Check the proces ID (PID) in task manager on your server to possibly find a clou on what service is being used.

    Such failed attempts are common and should not pose a direct security risk with a well configured password policy (except for users not being able to loin/use entwork resourecs because their account got locked).

    BUT... if this happens a lot you should wonder whether this is still possibly the result your users or a few computers (that are not joined to the domain)  that are configured with wrong credentials somehow; this usually show because username and  computername match 'reality'. Instead, this could also be a bruteforce attack executed by some malware on a client machine, or if the machine is connected to the internet, an attempt to break into your network.

    Investigate the computer 'pcname' for malicious software and/or check for possible cached  credentials. If the server is connected to he internet, verify your firewall settings.

    There are some nice blog entries that do full blown troubleshootingg on the logons, (but I would still suggest taking a look at the client computer(s) first.)

    http://blogs.msdn.com/b/spatdsg/archive/2005/12/23/507103.aspx
    http://blogs.msdn.com/b/puneetgupta/archive/2007/08/20/unknown-username-or-bad-password-inetinfo-exe-advapi.aspx

    Also take a look in the related topics on your right hand; there are a lot solved ones containing good solutions or troubleshooting info!


    MCP/MCSA/MCTS/MCITP


    • Edited by SenneVL Tuesday, May 21, 2013 8:17 PM
    • Marked as answer by 朱鸿文 Tuesday, May 28, 2013 2:14 AM
    Tuesday, May 21, 2013 8:16 PM