Frequent Event ID 529 (Kerberos)

S

Stephen Walker

I have a puzzle with one of my machines.
This PC has been having trouble with the security event log getting full,
and I've had to increase it to 8Mb just to cope.
I am getting these events logged at a rate of about 6 every two minutes:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 09/12/2004
Time: 11:01:35
User: NT AUTHORITY\SYSTEM
Computer: STEVEW
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -

With no username, domain or workstation name it is hard to track what is
causing these errors.
I have tried scanning for viruses/malware, shutting down every process and
service I can think of, even logging the machine off, but the events
continue to be logged. A packet capture shows that the PC is chatting to a
domain controller at the time that the events are logged, but I can't see
why this keeps happening.

This is an XP SP2 machine on a small domain.

Has anyone else seen this type of behaviour or have any ideas to
troubleshoot it?

Stephen
 
S

Stephen Walker

Thanks for the help.
After a lot of reading, I eventually decided to rename the PC to see if the
activity stopped. It has, so I guess it must be something to do with an
incoming connection, not anything on the PC itself.

Stephen
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Kerberose Error 1
Event id 529 3
Kerberos ticket expired 1
Failure to access local machine uisng IP Security Monitor 1
Error 529 3
Unexplained 540 Events in Security log on W2K workstation in a dom 0
Help! I think I'm being hacked!! 1
537 errors due to manual services being started 0

Top