FTP login to Win2k sp4 with IIS not all audited

[Raymond]

The configuration is as following:
- Windows 2000 SP4 running as DC with IIS FTP installed
- One account "ftpuser" created for accessing the FTP server
- "Domain Security Policy", "Audit account logon events" and "Audit
logon events" are both turned on for success and failure
- Normally, we have about 10 workstations(NT4 WS) access the server in
the morning from 8:15AM to 8:30AM to get updated files.

The problem is :
- I am expecting I can get TEN pairs of "528 + 538" events with the
user field set to "ftpuser", but I only get at most TWO pairs of "528
+ 538" events.

Successful Logon:
User Name: ftpuser
Domain: DOMAIN1
Logon ID: (0x0,0x65A244)
Logon Type: 2
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER1

User Logoff:
User Name: ftpuser
Domain: DOMAIN1
Logon ID: (0x0,0x65A244)
Logon Type: 2

In between, I got a lot of 540, 583 events who's user is "SYSTEM":
Successful Network Logon:
User Name: SERVER1$
Domain: DOMAIN1
Logon ID: (0x0,0x65EA72)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:

User Logoff:
User Name: SERVER1$
Domain: DOMAIN1
Logon ID: (0x0,0x65EBB9)
Logon Type: 3

Anyone know what's the problem?

 

[Roger Abell]

I am not sure where your ftpuser event msgs went, but the
other event you show in very likely unrelated as the Windows
shipped FTP is totally Kerberos unaware.