FTP login to Win2k sp4 with IIS not all audited

Archived from groups: microsoft.public.win2000.security (More info?)

I am not sure where your ftpuser event msgs went, but the
other event you show in very likely unrelated as the Windows
shipped FTP is totally Kerberos unaware.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Raymond" <skytow@gmail.com> wrote in message
news:fdfbcccc.0411260054.285dbc5@posting.google.com...
> The configuration is as following:
> - Windows 2000 SP4 running as DC with IIS FTP installed
> - One account "ftpuser" created for accessing the FTP server
> - "Domain Security Policy", "Audit account logon events" and "Audit
> logon events" are both turned on for success and failure
> - Normally, we have about 10 workstations(NT4 WS) access the server in
> the morning from 8:15AM to 8:30AM to get updated files.
>
> The problem is :
> - I am expecting I can get TEN pairs of "528 + 538" events with the
> user field set to "ftpuser", but I only get at most TWO pairs of "528
> + 538" events.
>
> Successful Logon:
> User Name: ftpuser
> Domain: DOMAIN1
> Logon ID: (0x0,0x65A244)
> Logon Type: 2
> Logon Process: IIS
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: SERVER1
>
> User Logoff:
> User Name: ftpuser
> Domain: DOMAIN1
> Logon ID: (0x0,0x65A244)
> Logon Type: 2
>
> In between, I got a lot of 540, 583 events who's user is "SYSTEM":
> Successful Network Logon:
> User Name: SERVER1$
> Domain: DOMAIN1
> Logon ID: (0x0,0x65EA72)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name:
>
> User Logoff:
> User Name: SERVER1$
> Domain: DOMAIN1
> Logon ID: (0x0,0x65EBB9)
> Logon Type: 3
>
> Anyone know what's the problem?