event id 529 logon type 3 - lots of them


Gary Massengale

I saw a ton of these, all early this morning, during a short period of time,
before most users are even in the office.

is there any way I can find out where this is coming from? what
workstation or if it is over the internet?

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 529

Date: 4/26/2005

Time: 6:44:06 AM


Computer: myserver


Logon Failure:

Reason: Unknown user name or bad password

User Name: connect


Logon Type: 3

Logon Process: Advapi

Authentication Package:

Workstation Name: myserver

Steven L Umbach

What server applications were running on this server - IIS, Exchange,?? From
what you describe it probably was from an external source and if your
firewall logs network traffic you may want to see if you see a lot of
activity from a particular IP address at the times that these failed logon
events were recorded. If you have auditing of account logon events enabled
in Domain Controller Security policy you would want to check the security
logs of the domain controllers to see if there are any failure for account
logon events at the same times that may give more information including
computer name. I have seen other posts with similar behavior and when
Logon Process: Advapi was show it was often an Exchange server. Be sure
to check your firewall for proper configuration and you can go to a self
scan site such as http://scan.sygatetech.com/ to see if your firewall
security configuration looks to be what is expected.--- Steve

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question