none
EventID 540 Anonymous Logon

    Question

  • This morning when I logged on my machine I noticed this event log:

    Event Type:    Success Audit
    Event Source:    Security
    Event Category:    Logon/Logoff
    Event ID:    540
    Date:        8/10/2006
    Time:        5:09:03 AM
    User:        NT AUTHORITY\ANONYMOUS LOGON
    Computer:    IKCICHOCKI2
    Description:
    Successful Network Logon:
         User Name:   
         Domain:       
         Logon ID:        (0x0,0x1125A)
         Logon Type:    3
         Logon Process:    NtLmSsp
         Authentication Package:    NTLM
         Workstation Name:   
         Logon GUID:    {00000000-0000-0000-0000-000000000000}


    Cany anyone tell me what this could be about?
    Being a successful Network Logon worries me.

    Thursday, August 10, 2006 5:20 PM

Answers

  • After checking my event logs, I ran into the same problem you posted.  I found your post first... then I continued on google to find this article.  I'm not a pro, but this seems to be the answer to the issue at hand. 

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch13.asp

    "If you see an error message that indicates that the login has failed for NT AUTHORITY\ANONYMOUS, this indicates that the identity on the Web server does not have any network credentials and is attempting to access the remote computer.

    Identify which account is being used by the Web application for remote resource access and confirm that it has network credentials. If the Web application is impersonating, this requires either Kerberos delegation (with suitably configured accounts) or Basic authentication at the Web server."

    Friday, September 15, 2006 3:14 PM
  • I had the same problem. What I did was:

    You can use the Group Policy console to prevent anonymous logon.

     

    Sunday, October 22, 2006 8:14 PM

All replies

  • I've recently seen these on my computer as well.  My ad-aware also picked up a win32.trojan.agent, which I deleted.  Any connection there?  Thanks, Tim
    Wednesday, September 13, 2006 4:15 AM
  • After checking my event logs, I ran into the same problem you posted.  I found your post first... then I continued on google to find this article.  I'm not a pro, but this seems to be the answer to the issue at hand. 

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch13.asp

    "If you see an error message that indicates that the login has failed for NT AUTHORITY\ANONYMOUS, this indicates that the identity on the Web server does not have any network credentials and is attempting to access the remote computer.

    Identify which account is being used by the Web application for remote resource access and confirm that it has network credentials. If the Web application is impersonating, this requires either Kerberos delegation (with suitably configured accounts) or Basic authentication at the Web server."

    Friday, September 15, 2006 3:14 PM
  • Konrad,

    I have the same thing.  Did you find out how to lock down the anonymous logon?  I haven't found anything on how to keep these people out.  Any help would be great.

    Successful Network Logon:
         User Name:   
         Domain:       
         Logon ID:        (0x0,0x8516F)
         Logon Type:    3
         Logon Process:    NtLmSsp
         Authentication Package:    NTLM
         Workstation Name:    HOD
         Logon GUID:    -
         Caller User Name:    -
         Caller Domain:    -
         Caller Logon ID:    -
         Caller Process ID: -
         Transited Services: -
         Source Network Address:    12.226.83.245
         Source Port:    0


    Thanks
    David
    Wednesday, October 11, 2006 12:46 PM
  • I had the same problem. What I did was:

    You can use the Group Policy console to prevent anonymous logon.

     

    Sunday, October 22, 2006 8:14 PM
  • does it worked?
    Tuesday, April 28, 2009 1:37 AM
  • Its possible that this is an ntlm double-computer-hop issue. for example, a browser on a client computer request to an IIS web front end server using a web browser and ntlm authentication. this is hop #1, from client to wfe. Then wfe makes a web request to a Database server using ntlm authentication. NTLM doesn't like hopping from computer to computer to computer and maintaining credentials, it thinks a man in the middle attack is occurring. So after the first hop, all subsequent hops are as ANONYMOUS. Using Kerberos avoids this, but there is setup required for both A.D. and IE browser registry fixes / hotfixes. not easy to do.
    • Proposed as answer by DanielSon1 Thursday, April 22, 2010 6:24 PM
    Monday, July 13, 2009 8:04 PM
  • Todd,

    I agree with your diagnosis.  We use a wfe with a couple of frames and they always hit on ANONYMOUS network login.

    Thursday, April 22, 2010 6:25 PM
  • very useful comment & remark about the limits of NTLM.

    also agree : not a easy task to fix in a domain...

    I'm like Konrad, worried about successful anonymous logon especially when they always come from a specific server and have a granted access on whatever port it wants.

    Monday, September 09, 2013 7:11 PM
  • I happen to notice this event on our DB Servers.

    It happens a lot when the backup server in a failover cluster checks on the primary server.

    Kind of like "are you there...ah yes...now I can relax".

    Wednesday, October 16, 2013 10:18 PM