Event ID 681

[Guest]

Recently I began noticing Event ID 681 errors in the security logs of our
Microsoft ISA Server 2000. These errors are only occuring on 2 specific
workstations/user accounts. The event log reads as follows:
-----------------------------------------
Date: 3/3/2005
Time: 8:33
Type: Failure
User: NT AUTHORITYSYSTEM
Computer: SERVERNAME
Source: Security
Category: Account Logon
Event ID: 681

Description:
The logon to account: USERNAME
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: WORKSTATIONNAME
failed. The error code was: 3221225572
-----------------------------------------

This error message is being generated atleast every minute, if not 2 or 3
times a minute and has been occuring since last week sometime. I made several
changes on our ISA server last week so that ISA would log user names rather
than IP addresses. It seems that these error messages began appearing after
that. I find it strange, however, that only 2 users are experiencing this. We
have approximately 50 users total and all other accounts seem fine. I have
verified that the firewall client is installed and configure properly on
these 2 workstations. I have also tried renaming these workstations.

The changes made to ISA last week were as follows:

Open SCPFIRE properties>incoming web requests, check the box ?Ask unauthenticated users for identification?.

Access policy>Site & Content rules>Change proxy rule to apply to Accounts:Everyone as opposed to any request (eliminates anonymous access).

Any ideas how to eliminate this problem from recurring?

I've also obtained a hotfix from MS, which did not work (KB837142).

Thanks in advance - Wayne

 

[Steven L Umbach]

The error code 3221225572 indicates that a bad username is being used to
authenticate. I would make sure that the user is trying to logon to their
computer with the correct logon name as compared to the logon name that ISA
uses to authenticate users which would be either local user accounts or
domain accounts depending on if a domain is being used or not. --- Steve

 

[John John]

That would seem to be the problem according to Microssoft but Wayne says
"This error message is being generated atleast every minute, if not 2
or 3 times a minute..." I think there is more to it than just a bad
username, unless some dumb cluck is trying to log on 2-3 times a minute
all day long. I read in another Microsoft article that SMS license
Metering Client can cause the exact same symptoms but I don't know that
the OP has this SMS or not, doesn't say in his post.

John

 

[Steven L Umbach]

He still should start with what the error indicates. Since this is an ISA
server there apparently are rules that require client authentication for
internet access for web proxy and/or firewall clients. That can be done
transparently. Possibly the firewall client is triggering the failures or
maybe he has spyware or something like Windows Update trying to access the
internet without the users knowledge. There certainly could be other
possibilities. --- Steve