Hello can someone clarify this for me... I installed GFI Languard a few days ago to alert me of event viewer logs. Last few nights I get bombarded with messages in the middle of the night stating that a Machine is failing to login to my domain controller:
Note: DomainController is my DC Server. TerminalServerA is my Terminal Server. Why in the heck is my TS Server logging in as itself?
Event ID : 537
Event Importance : Critical importance event
Date & Time : 8/14/2008 - 4:04:52 PM
Rule Triggered : Logon Failure : Unknown / Unexpected error
Computer : DomainController
Event Log : Security
Event Source : Security
Event Category : Logon/Logoff
Event Type : Failure Audit
S.E.L.M. Event ID : 1218643757_000000000026701
User Name : NT AUTHORITY\SYSTEM
Operating System : Windows 2003 Domain Controller
Logon Failure:
Reason: An error occurred during logon
User Name: TerminalServerA$
Domain: MyDOMAIN.COM
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC00000DC
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.75
Source Port: 0
More Information:
User TerminalServerA$ from domain MyDOMAIN.COM tried to logon (Type 3) to the machine - but was not granted access since an unexpected error occurred during the logon process.
If the reasons which can generate such an event are unlisted you must first follow the steps in Q262177 to turn on Kerberos event logging.
Possible causes for this event:
(1) if a forged SID is used to elevate user privileges
(2) If the "Logon Failure Auditing" local policy is in use on a Windows XP-based computer that is a member of a domain, the event may be recorded in the Security event log if you log on to the local computer instead of to the domain.
See Q327889.
(3) Event generated by a logon failure due to the NetLogon component not being active.
(4) There is a Windows NT server with the same name as the Windows NT FPNW server service name on your network. This FPNW service name must be different than the regular Windows NT server name.
It is strongly recommended that if this event is generated out of the normal operational times for the specified machine (-), you check whether this event was preceded by a large number of failed logon attempts. If this is the case, then it can indicate that an unauthorized user is trying to gain access to that account/computer via a brute force password guessing operation.
User TerminalServerA$ from domain MyDOMAIN.COM has successfully logged off from the machine named -.
Possible causes for the generation of this event are
(1) Normal operation performed by a member of the domain.
WARNING :
If this network logoff happened OUT OF THE NORMAL OPERATIONAL TIME of this machine, then it is strongly recommended that you check whether this event was preceded by a large number of failed logon attempts. If this is the case, then it can indicate that an unauthorized user was trying to gain access to that account/computer via a brute force password guessing operation, and finally succeeded to access the system.
User TerminalServerA$ from domain MyDOMAIN.COM tried to logon (Type 3
) to the machine - but was not granted access since an unexpected error occurred during the logon process.
If the reasons which can generate such an event are unlisted you must first follow the steps in Q262177 to turn on Kerberos event logging.
Possible causes for this event:
(1) if a forged SID is used to elevate user privileges
(2) If the "Logon Failure Auditing" local policy is in use on a Windows XP-based computer that is a member of a domain, the event may be recorded in the Security event log if you log on to the local computer instead of to the domain.
See Q327889.
(3) Event generated by a logon failure due to the NetLogon component not being active.
(4) There is a Windows NT server with the same name as the Windows NT FPNW server service name on your network. This FPNW service name must be different than the regular Windows NT server name.
It is strongly recommended that if this event is generated out of the normal operational times for the specified machine (-), you check whether this event was preceded by a large number of failed logon attempts. If this is the case, then it can indicate that an unauthorized user is trying to gain access to that account/computer via a brute force password guessing operation.
Logon Type Legend:
2 - Interactive
3 - Network
4 - Batch
5 - Service
6 - Proxy
7 - Unlock Workstation
8 - Network logon using a clear text password
9 - Impersonated logon
Logon Process Legend:
- Advapi (triggered by a call to LogonUser; LogonUser calls LsaLogonUser, and one of the
arguments to LsaLogonUser, OriginName, identifies the origin of the logon attempt)
- User32 (normal Windows 2000 logon using WinLogon)
- SCMgr (Service Control Manager started a service)
- KsecDD (network connections to the SMB server-for example, when you use a NET USE
command)
- Kerberos (the Kerberos Security Support Provider [SSP])
- NtlmSsp (the NTLM SSP)
- Seclogon (Secondary Logon-that is, the RunAs command)
- IIS (IIS performed the logon; generated when logging on the IUSR_machinename account
or when using Digest or Basic authentication)
Authentication Package Legend:
- Negotiate
- NTLM
- Kerberos (Not Supported by Windows NT)
- MSV1_0 (Not Supported by Windows ME/98/95)
- MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 (Not Supported by Windows ME/98/95)
Common Kerberos 5 Hex Error Codes Legend:
0x6 - (KRB_ERR_C_PRINCIPAL_UNKNOWN) "Client not found in Kerberos database"
0x7 - (KRB_ERR_S_PRINCIPAL_UNKNOWN) "Server not found in Kerberos database" This
generally indicates a service principal name (SPN) has not been registered for the service.
0x9 - (KDC_ERR_NULL_KEY) "The client or server has a null key"
0xE - (KDC_ERR_ETYPE_NOTSUPP) "KDC has no support for the encryption type"
0x12 - indicates the logon failed because of time-of-day or workstation restrictions.
0x18 - (KDC_ERR_PREAUTH_FAILED) "Pre-authentication information was invalid" signifies that the
account was locked out because of failed logons, disabled by the administrator, or expired.
0x19 - (KDC_ERR_PREAUTH_REQUIRED) "Additional pre-authentication"
0x23 - Password has expired.
0x25 - (KRB_AP_ERR_SKEW) "Clock skew too great"
0x26 - (KRB_AP_ERR_BADADDR) ""Incorrect net address"
0x29 - (KRB_AP_ERR_MODIFIED) "Message stream modified"
0x32 - Ticket has expired.
0x33 - Ticket not yet valid.
0x34 - Request is a replay. Someone is trying to play back a Kerberos client''s response; you are possibly
being attacked.
0x37 - Clock skew too great, Kerberos is time-critical; make sure all clocks are synchronized.
0x3C - (KRB_ERR_GENERIC) "Generic Error"
GFI Knowledge Base article:
Note: DomainController is my DC Server. TerminalServerA is my Terminal Server. Why in the heck is my TS Server logging in as itself?
Event ID : 537
Event Importance : Critical importance event
Date & Time : 8/14/2008 - 4:04:52 PM
Rule Triggered : Logon Failure : Unknown / Unexpected error
Computer : DomainController
Event Log : Security
Event Source : Security
Event Category : Logon/Logoff
Event Type : Failure Audit
S.E.L.M. Event ID : 1218643757_000000000026701
User Name : NT AUTHORITY\SYSTEM
Operating System : Windows 2003 Domain Controller
Logon Failure:
Reason: An error occurred during logon
User Name: TerminalServerA$
Domain: MyDOMAIN.COM
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC00000DC
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.75
Source Port: 0
More Information:
User TerminalServerA$ from domain MyDOMAIN.COM tried to logon (Type 3) to the machine - but was not granted access since an unexpected error occurred during the logon process.
If the reasons which can generate such an event are unlisted you must first follow the steps in Q262177 to turn on Kerberos event logging.
Possible causes for this event:
(1) if a forged SID is used to elevate user privileges
(2) If the "Logon Failure Auditing" local policy is in use on a Windows XP-based computer that is a member of a domain, the event may be recorded in the Security event log if you log on to the local computer instead of to the domain.
See Q327889.
(3) Event generated by a logon failure due to the NetLogon component not being active.
(4) There is a Windows NT server with the same name as the Windows NT FPNW server service name on your network. This FPNW service name must be different than the regular Windows NT server name.
It is strongly recommended that if this event is generated out of the normal operational times for the specified machine (-), you check whether this event was preceded by a large number of failed logon attempts. If this is the case, then it can indicate that an unauthorized user is trying to gain access to that account/computer via a brute force password guessing operation.
User TerminalServerA$ from domain MyDOMAIN.COM has successfully logged off from the machine named -.
Possible causes for the generation of this event are
(1) Normal operation performed by a member of the domain.
WARNING :
If this network logoff happened OUT OF THE NORMAL OPERATIONAL TIME of this machine, then it is strongly recommended that you check whether this event was preceded by a large number of failed logon attempts. If this is the case, then it can indicate that an unauthorized user was trying to gain access to that account/computer via a brute force password guessing operation, and finally succeeded to access the system.
User TerminalServerA$ from domain MyDOMAIN.COM tried to logon (Type 3
) to the machine - but was not granted access since an unexpected error occurred during the logon process.
If the reasons which can generate such an event are unlisted you must first follow the steps in Q262177 to turn on Kerberos event logging.
Possible causes for this event:
(1) if a forged SID is used to elevate user privileges
(2) If the "Logon Failure Auditing" local policy is in use on a Windows XP-based computer that is a member of a domain, the event may be recorded in the Security event log if you log on to the local computer instead of to the domain.
See Q327889.
(3) Event generated by a logon failure due to the NetLogon component not being active.
(4) There is a Windows NT server with the same name as the Windows NT FPNW server service name on your network. This FPNW service name must be different than the regular Windows NT server name.
It is strongly recommended that if this event is generated out of the normal operational times for the specified machine (-), you check whether this event was preceded by a large number of failed logon attempts. If this is the case, then it can indicate that an unauthorized user is trying to gain access to that account/computer via a brute force password guessing operation.
Logon Type Legend:
2 - Interactive
3 - Network
4 - Batch
5 - Service
6 - Proxy
7 - Unlock Workstation
8 - Network logon using a clear text password
9 - Impersonated logon
Logon Process Legend:
- Advapi (triggered by a call to LogonUser; LogonUser calls LsaLogonUser, and one of the
arguments to LsaLogonUser, OriginName, identifies the origin of the logon attempt)
- User32 (normal Windows 2000 logon using WinLogon)
- SCMgr (Service Control Manager started a service)
- KsecDD (network connections to the SMB server-for example, when you use a NET USE
command)
- Kerberos (the Kerberos Security Support Provider [SSP])
- NtlmSsp (the NTLM SSP)
- Seclogon (Secondary Logon-that is, the RunAs command)
- IIS (IIS performed the logon; generated when logging on the IUSR_machinename account
or when using Digest or Basic authentication)
Authentication Package Legend:
- Negotiate
- NTLM
- Kerberos (Not Supported by Windows NT)
- MSV1_0 (Not Supported by Windows ME/98/95)
- MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 (Not Supported by Windows ME/98/95)
Common Kerberos 5 Hex Error Codes Legend:
0x6 - (KRB_ERR_C_PRINCIPAL_UNKNOWN) "Client not found in Kerberos database"
0x7 - (KRB_ERR_S_PRINCIPAL_UNKNOWN) "Server not found in Kerberos database" This
generally indicates a service principal name (SPN) has not been registered for the service.
0x9 - (KDC_ERR_NULL_KEY) "The client or server has a null key"
0xE - (KDC_ERR_ETYPE_NOTSUPP) "KDC has no support for the encryption type"
0x12 - indicates the logon failed because of time-of-day or workstation restrictions.
0x18 - (KDC_ERR_PREAUTH_FAILED) "Pre-authentication information was invalid" signifies that the
account was locked out because of failed logons, disabled by the administrator, or expired.
0x19 - (KDC_ERR_PREAUTH_REQUIRED) "Additional pre-authentication"
0x23 - Password has expired.
0x25 - (KRB_AP_ERR_SKEW) "Clock skew too great"
0x26 - (KRB_AP_ERR_BADADDR) ""Incorrect net address"
0x29 - (KRB_AP_ERR_MODIFIED) "Message stream modified"
0x32 - Ticket has expired.
0x33 - Ticket not yet valid.
0x34 - Request is a replay. Someone is trying to play back a Kerberos client''s response; you are possibly
being attacked.
0x37 - Clock skew too great, Kerberos is time-critical; make sure all clocks are synchronized.
0x3C - (KRB_ERR_GENERIC) "Generic Error"
GFI Knowledge Base article: