We have 2 X DCs running 2003 SP2 64bit 2003. Recently I have been logging alot of Kerberos and Netlogon errors on 3 or 4 XP SP2 workstations in our domain. I have tried deleting the computer account from AD and then removing and rejoining to the Domain as well as recreating the user profile on the local workstation.I also forced Kerberos authentication through my GPO ( as per a Mcrosoft article)and the workstations still try to authenticate using NTLM. The errors are also occuring at times when the offices are closed. I have checked for any suspicious programs and scanned for malware. We Trend Micro. I have attached some of the event log entries. Any suggestions would be greatly appreciated.
Source: NETLOGON
Category: None
Event ID: 5722
omputer: DC
The session setup from the computer Workstation-020
failed to authenticate. The name(s) of the
account(s) referenced in the security database
is Workstation-020$. The following error occurred:
Access is denied.
************************************************************
Source: Kerberos
Category: None
Event ID: 4
omputer: DC
The kerberos client received a KRB_AP_ERR_MODIFIED error
from the server Workstation-020$. The target name used was
cifs/Workstation-020.Domain.org. This indicates that the
password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this
is due to identically named machine accounts in the target
realm (Domain.ORG), and the client realm. Please contact
your system administrator.
************************************************************
Source: W3SVC
Category: None
Event ID: 1074
omputer: DC
A worker process with process id of '900' serving
application pool 'DefaultAppPool' has requested a
recycle because the worker process reached its allowed
processing time limit.
************************************************************
Source: Security
Category: Logon/Logoff
Event ID: 529
NT AUTHORITY\SYSTEM
omputer: DC
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: Workstation-020
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: Workstation-020
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.16.48.96
Source Port: 0
Source: NETLOGON
Category: None
Event ID: 5722
omputer: DC
The session setup from the computer Workstation-020
failed to authenticate. The name(s) of the
account(s) referenced in the security database
is Workstation-020$. The following error occurred:
Access is denied.
************************************************************
Source: Kerberos
Category: None
Event ID: 4
omputer: DC
The kerberos client received a KRB_AP_ERR_MODIFIED error
from the server Workstation-020$. The target name used was
cifs/Workstation-020.Domain.org. This indicates that the
password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this
is due to identically named machine accounts in the target
realm (Domain.ORG), and the client realm. Please contact
your system administrator.
************************************************************
Source: W3SVC
Category: None
Event ID: 1074
omputer: DC
A worker process with process id of '900' serving
application pool 'DefaultAppPool' has requested a
recycle because the worker process reached its allowed
processing time limit.
************************************************************
Source: Security
Category: Logon/Logoff
Event ID: 529
NT AUTHORITY\SYSTEM
omputer: DC
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: Workstation-020
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: Workstation-020
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.16.48.96
Source Port: 0
