Guest Drazzi Posted November 6, 2007 Posted November 6, 2007 I get the following security event every 3-30 seconds and it repeats for the same source network address up to 8 times. Does anyone have any suggestions on what to look at? -- Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 11/6/2007 Time: 11:35:06 AM User: NT AUTHORITY\SYSTEM Computer: <HOST> Description: Logon Failure: Reason: Unknown user name or bad password User Name: Domain: Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: <Valid IP> Source Port: 0 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. -- I also am seeing Kerberos event id 4 on most of the client PCs with the host server above in the description. The server has locked up twice, the second time exactly a week from the first. It acts like it is out of memory, when it is only using 2.5 of 4gb. I'm installing the lsass patch (http://support.microsoft.com/kb/931307/en-us) tomorrow night to attempt to help the memory issue. -- Event Type: Error Event Source: Kerberos Event Category: None Event ID: 4 Date: 11/6/2007 Time: 11:12:33 AM User: N/A Computer: <CLIENT> Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/<HOST from above>. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (<Our Domain Name>), and the client realm. Please contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. -- For this error I have already checked that I do not have a second machine named the same as this one, etc. The only unique thing is that this machine has two IPs. I plan on taking down the second one for a day or so to see if the event 4 goes away. Any help/suggestions are greatly appreciated!! Thanks, Justin
Recommended Posts