event id 675, 681, 529 every 2, 2.5 minutes

C

Christine

I am receiving the following every 2, 2.5 minutes in
security logs. Everything seems to be working fine with
the exception of these messages. Any help would be
appreciated.


Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 12/2/2003
Time: 9:59:33 AM
User: NT AUTHORITY\SYSTEM
Computer: server
Description:
Pre-authentication failed:
User Name: server$
User ID: ADMAT\server$
Service Name: krbtgt/ADMAT.COM
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 12/2/2003
Time: 9:59:33 AM
User: NT AUTHORITY\SYSTEM
Computer: server
Description:
The logon to account: server$
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: server
failed. The error code was: 3221225578

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/2/2003
Time: 9:59:33 AM
User: NT AUTHORITY\SYSTEM
Computer: server
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: server$
Domain: ADMAT
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: server
 
I

IBTerry [MSFT]

Hello

Does these error only come from the one machine that is named server?
Are there any secure channel type of errors on that machine? If so
resetting the machine account may eliminate these errors.

Is this an NT4 machine in a Win2K domain?

The following article will help you interpret some of the event IDs
regarding this...

174073 Auditing User Authentication
http://support.microsoft.com/?id=174073

IBTerry [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
 
C

Christine

sorry...it is a W2K server

-----Original Message-----
Thanks for the article...I had already read through that.
I have also learned that ntlmssp.exe is used with exchange
and some proxy services.

Yes "server" is a domain controller and the machine the
log event is referring to.

I interpret the log as the domain controller "server"
machine account can't log into the network because of a
bad password.

This doesn't make sense to me.

All of the services are running smoothly, from email to
the firewall to backups.

Any other ideas would be helpful.

-----Original Message-----
Hello

Does these error only come from the one machine that is named server?
Are there any secure channel type of errors on that machine? If so
resetting the machine account may eliminate these errors.

Is this an NT4 machine in a Win2K domain?

The following article will help you interpret some of
Click to expand...
the
event IDs
regarding this...

174073 Auditing User Authentication
http://support.microsoft.com/?id=174073

IBTerry [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


.
Click to expand...
.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event 529 and 681 5
537 errors due to manual services being started 0
680 & 529 Failure Audits 1
Event ID 681 and 529 3
Event id 529, and very strange username ! 1
Password checking is running-please help 3
event id 529 logon type 3 - lots of them 1
Security Log Help 9

Top