Hello,

I am getting 13 (exactly 13) Security Event 529 errors in my security log every morning around 6:00 am. Here is a copy of the error from the Event Log:

Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator@<domain>.com
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: <Server>
Caller User Name: <Server>$
Caller Domain: <Domain>
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2808
Transited Services: -
Source Network Address: -
Source Port: -

I traced the PID to inetinfo.exe. Other forums I have scoured point to an administrator password change as the possible culprit, but I have not made a change to the administrator password. I have, for the sake of being thorough, checked all of the administrator passwords under services.msc and made sure they were all correct. The error still shows up like clockwork every morning. I don't think it's a hack attempt since it's occurring every morning at the same time with the same number of errors without any change in the username. Can anyone point me in the right direction here? Thanks in advance for the help.

EggHeadCafe - Software Developer Portal of Choice
WPF And The Model View View Model Pattern
http://www.eggheadcafe.com/tutorials...l-view-vi.aspx

Hello,

Thank you for posting here.

According to your description, I understand that:

You receive the Event 529 that indicates a authentication failure every
morning.

If I have misunderstood the problem, please don't hesitate to let me know.

To find the root cause of the reason why inetinfo.exe tried to
authentication the Administrator account with the incorrect password, we
will need to debug the inetinfo.exe and verify it.

Before that, from my experience the remote SMTP request may result in the
Event 529 from inetinfo.exe and Advapi. To verify that, you may take a
network trace on the server around 6:00 am until the issue reproduces. Then
check whether there is any SMTP requests and authentication failure
messages.

If you have any questions or concerns, please do not hesitate to let me know

Best regards,

Miles Li

Microsoft Online Newsgroup Support

==================================================================
Please post your SBS 2008 related questions to the SBS newsgroup on Connect
website:
https://connect.microsoft.com/sbs08/...i/default.aspx


Please post your EBS related questions to the EBS newsgroup on Connect
website:
https://connect.microsoft.com/ebs08/...i/default.aspx


If you want to use a newsreader other than a web forum to access these
newsgroups,
please refer to the following blog to apply NNTP password and configure a
newsreader:
http://msmvps.com/blogs/bradley/arch...for-the-sbs-20
08-newsgroups.aspx
==================================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
==================================================================

Looks like you have a broken trust between clients and server

the error is mis guiding

use kerb-tray utility -- i think thats on sysinternals

Heathe
heathe@newsgroup
free consultation at protechdynamix.com



Gabriel Raffaelli wrote:

EventID 529 Failed Logons from administrator account in SBS 2003 server
22-Sep-09

Hello,

I am getting 13 (exactly 13) Security Event 529 errors in my security log every morning around 6:00 am. Here is a copy of the error from the Event Log:

Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator@<domain>.com
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: <Server>
Caller User Name: <Server>$
Caller Domain: <Domain>
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2808
Transited Services: -
Source Network Address: -
Source Port: -

I traced the PID to inetinfo.exe. Other forums I have scoured point to an administrator password change as the possible culprit, but I have not made a change to the administrator password. I have, for the sake of being thorough, checked all of the administrator passwords under services.msc and made sure they were all correct. The error still shows up like clockwork every morning. I don't think it's a hack attempt since it's occurring every morning at the same time with the same number of errors without any change in the username. Can anyone point me in the right direction here? Thanks in advance for the help.

EggHeadCafe - Software Developer Portal of Choice
WPF And The Model View View Model Pattern
http://www.eggheadcafe.com/tutorials...l-view-vi.aspx

I downloaded the Kerb Tray utility and it doesn't seem to show anything out
of the ordinary. It shows only two Kerberos tickets, both at the time of my
login to the server. I didn't do a purge since it doesn't look like that's
the source of the problem. Should I?

Thanks for your help.

~Gabriel Raffaelli
IT Consultant, InfoLA

"heathe crimson" wrote:

> Looks like you have a broken trust between clients and server
>
> the error is mis guiding
>
> use kerb-tray utility -- i think thats on sysinternals
>
> Heathe
> heathe@newsgroup
> free consultation at protechdynamix.com
>
>
>
> Gabriel Raffaelli wrote:
>
> EventID 529 Failed Logons from administrator account in SBS 2003 server
> 22-Sep-09
>
> Hello,
>
> I am getting 13 (exactly 13) Security Event 529 errors in my security log every morning around 6:00 am. Here is a copy of the error from the Event Log:
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: administrator@<domain>.com
> Domain:
> Logon Type: 3
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: <Server>
> Caller User Name: <Server>$
> Caller Domain: <Domain>
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 2808
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> I traced the PID to inetinfo.exe. Other forums I have scoured point to an administrator password change as the possible culprit, but I have not made a change to the administrator password. I have, for the sake of being thorough, checked all of the administrator passwords under services.msc and made sure they were all correct. The error still shows up like clockwork every morning. I don't think it's a hack attempt since it's occurring every morning at the same time with the same number of errors without any change in the username. Can anyone point me in the right direction here? Thanks in advance for the help.
>
> EggHeadCafe - Software Developer Portal of Choice
> WPF And The Model View View Model Pattern
> http://www.eggheadcafe.com/tutorials...l-view-vi.aspx
>

I downloaded the Kerb Tray utility and it doesn't seem to show anything out
of the ordinary. It shows only two Kerberos tickets, both at the time of my
login to the server. I didn't do a purge since it doesn't look like that's
the source of the problem. Should I?

Thanks for your help.

~Gabriel Raffaelli
IT Consultant, InfoLA



heathe crimson wrote:

broken trust
23-Sep-09

Looks like you have a broken trust between clients and server

the error is mis guiding

use kerb-tray utility -- i think thats on sysinternals

Heathe
heathe@newsgroup
free consultation at protechdynamix.com

EggHeadCafe - Software Developer Portal of Choice
WPF And The Model View View Model Pattern
http://www.eggheadcafe.com/tutorials...l-view-vi.aspx

yes please





Gabriel Raffaelli wrote:

kerb tray
24-Sep-09

I downloaded the Kerb Tray utility and it doesn't seem to show anything out
of the ordinary. It shows only two Kerberos tickets, both at the time of my
login to the server. I didn't do a purge since it doesn't look like that's
the source of the problem. Should I?

Thanks for your help.

~Gabriel Raffaelli
IT Consultant, InfoLA

EggHeadCafe - Software Developer Portal of Choice
WPF And The Model View View Model Pattern
http://www.eggheadcafe.com/tutorials...l-view-vi.aspx

look at metabase.xml

open with notepad

search for the user for which you get faliure audits

you might find that the user a/c is being used as an identity of one of the application pools

remove the account from in there -- nost likely you are not using that

put the application pool identity back to the network service a.c.

heathe
heathe@newsgroup

free consultation at protechdynamix.com



Gabriel Raffaelli wrote:

kerb tray
24-Sep-09

I downloaded the Kerb Tray utility and it doesn't seem to show anything out
of the ordinary. It shows only two Kerberos tickets, both at the time of my
login to the server. I didn't do a purge since it doesn't look like that's
the source of the problem. Should I?

Thanks for your help.

~Gabriel Raffaelli
IT Consultant, InfoLA

EggHeadCafe - Software Developer Portal of Choice
WPF And The Model View View Model Pattern
http://www.eggheadcafe.com/tutorials...l-view-vi.aspx

Thank you for your help and sorry for the delay. I am only at this client site twice weekly so my troubleshooting is a bit sporadic.

I searched in the metabase.xml file, and the word "administrator" only shows up in two places, neither of which look like account logins.

One instance shows under an AspScriptErrorMessage and the other as a label for the AdminName property. That instance looks like this: AdminName="Administrator Name"

I don't think either of those are what you are talking about.

Any other ideas? I received the 529 error just like clockwork at 6:00am today. 13 times as usual.

Thanks again for your help.

~Gabriel



heathe crimson wrote:

need to check metabase
24-Sep-09

look at metabase.xml

open with notepad

search for the user for which you get faliure audits

you might find that the user a/c is being used as an identity of one of the application pools

remove the account from in there -- nost likely you are not using that

put the application pool identity back to the network service a.c.

heathe
heathe@newsgroup

free consultation at protechdynamix.com

EggHeadCafe - Software Developer Portal of Choice
WPF DataGrid Custom Paging and Sorting
http://www.eggheadcafe.com/tutorials...tom-pagin.aspx

Sorry for the delay. I'm only on site with this client twice weekly and I was
looking at kerberos as a possible culprit but that looks like a deadend.

I am not using any third party backup at that time. I have an online backup
that runs at varied times throughout the day but, according to the history,
never runs at 6am. I also use the native SBS backup, scheduled to run at
10pm nightly.

I don't have any scheduled tasks that run at 6am. I checked that out as well.

Thanks for your input. Any other ideas would be greatly appreciated.

~Gabriel

"Cris Hanna [SBS - MVP]" wrote:

> Are you using 3rd party backup software..what is scheduled to happen when this error occurs?
>
> --
> Cris Hanna [SBS - MVP]
> Co-Contributor, Windows Small Business Server 2008 Unleashed
> http://www.amazon.com/Windows-Small-...7269967&sr=8-1
> Owner, CPU Services, Belleville, IL
> A Microsoft Registered Partner
> ------------------------------------
> MVPs do not work for Microsoft
> Please do not submit questions directly to me.
>
> <Gabriel Raffaelli> wrote in message news:2009922145444graffaelli@newsgroup
> Hello,
>
> I am getting 13 (exactly 13) Security Event 529 errors in my security log every morning around 6:00 am. Here is a copy of the error from the Event Log:
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: administrator@<domain>.com
> Domain:
> Logon Type: 3
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: <Server>
> Caller User Name: <Server>$
> Caller Domain: <Domain>
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 2808
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> I traced the PID to inetinfo.exe. Other forums I have scoured point to an administrator password change as the possible culprit, but I have not made a change to the administrator password. I have, for the sake of being thorough, checked all of the administrator passwords under services.msc and made sure they were all correct. The error still shows up like clockwork every morning. I don't think it's a hack attempt since it's occurring every morning at the same time with the same number of errors without any change in the username. Can anyone point me in the right direction here? Thanks in advance for the help.
>
> EggHeadCafe - Software Developer Portal of Choice
> WPF And The Model View View Model Pattern
> http://www.eggheadcafe.com/tutorials...-model-view-vi

Is there any way to schedule a network trace using NetMon? I would like to
minimize the amount of data to analyze and specify a timeframe for a scan
since the error comes up at exactly the same time every morning.

Thanks for your help.

~Gabriel

"Miles Li [MSFT]" wrote:

> Hello,
>
> Thank you for posting here.
>
> According to your description, I understand that:
>
> You receive the Event 529 that indicates a authentication failure every
> morning.
>
> If I have misunderstood the problem, please don't hesitate to let me know.
>
> To find the root cause of the reason why inetinfo.exe tried to
> authentication the Administrator account with the incorrect password, we
> will need to debug the inetinfo.exe and verify it.
>
> Before that, from my experience the remote SMTP request may result in the
> Event 529 from inetinfo.exe and Advapi. To verify that, you may take a
> network trace on the server around 6:00 am until the issue reproduces. Then
> check whether there is any SMTP requests and authentication failure
> messages.
>
> If you have any questions or concerns, please do not hesitate to let me know
>
> Best regards,
>
> Miles Li
>
> Microsoft Online Newsgroup Support
>
> ==================================================================
> Please post your SBS 2008 related questions to the SBS newsgroup on Connect
> website:
> https://connect.microsoft.com/sbs08/...i/default.aspx
>
>
> Please post your EBS related questions to the EBS newsgroup on Connect
> website:
> https://connect.microsoft.com/ebs08/...i/default.aspx
>
>
> If you want to use a newsreader other than a web forum to access these
> newsgroups,
> please refer to the following blog to apply NNTP password and configure a
> newsreader:
> http://msmvps.com/blogs/bradley/arch...for-the-sbs-20
> 08-newsgroups.aspx
> ==================================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
> ==================================================================
>
>