Storage Server 2003 Security Event 529 Strange Issue

[Guest Drazzi]

I get the following security event every 3-30 seconds and it repeats for

the same source network address up to 8 times. Does anyone have any

suggestions on what to look at?

 

--

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 529

Date: 11/6/2007

Time: 11:35:06 AM

User: NT AUTHORITY\SYSTEM

Computer: <HOST>

Description:

Logon Failure:

Reason: Unknown user name or bad password

User Name:

Domain:

Logon Type: 3

Logon Process: Kerberos

Authentication Package: Kerberos

Workstation Name: -

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: <Valid IP>

Source Port: 0

 

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

--

 

I also am seeing Kerberos event id 4 on most of the client PCs with the

host server above in the description. The server has locked up twice,

the second time exactly a week from the first. It acts like it is out

of memory, when it is only using 2.5 of 4gb. I'm installing the lsass

patch (http://support.microsoft.com/kb/931307/en-us) tomorrow night to

attempt to help the memory issue.

 

--

Event Type: Error

Event Source: Kerberos

Event Category: None

Event ID: 4

Date: 11/6/2007

Time: 11:12:33 AM

User: N/A

Computer: <CLIENT>

Description:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server

host/<HOST from above>. This indicates that the password used to

encrypt the kerberos service ticket is different than that on the target

server. Commonly, this is due to identically named machine accounts in

the target realm (<Our Domain Name>), and the client realm. Please

contact your system administrator.

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

--

 

For this error I have already checked that I do not have a second

machine named the same as this one, etc. The only unique thing is that

this machine has two IPs. I plan on taking down the second one for a

day or so to see if the event 4 goes away.

 

Any help/suggestions are greatly appreciated!!

 

Thanks,

Justin