event id 529 logon type 3 - lots of them

Archived from groups: microsoft.public.win2000.security (More info?)

What server applications were running on this server - IIS, Exchange,?? From
what you describe it probably was from an external source and if your
firewall logs network traffic you may want to see if you see a lot of
activity from a particular IP address at the times that these failed logon
events were recorded. If you have auditing of account logon events enabled
in Domain Controller Security policy you would want to check the security
logs of the domain controllers to see if there are any failure for account
logon events at the same times that may give more information including
computer name. I have seen other posts with similar behavior and when
Logon Process: Advapi was show it was often an Exchange server. Be sure
to check your firewall for proper configuration and you can go to a self
scan site such as http://scan.sygatetech.com/ to see if your firewall
security configuration looks to be what is expected.--- Steve



"Gary Massengale" <garym_jnospam@hotmail.com> wrote in message
news:%23IZ47XoSFHA.3544@TK2MSFTNGP10.phx.gbl...
>I saw a ton of these, all early this morning, during a short period of
>time, before most users are even in the office.
>
>
>
> is there any way I can find out where this is coming from? what
> workstation or if it is over the internet?
>
>
>
>
>
>
>
>
>
> Event Type: Failure Audit
>
> Event Source: Security
>
> Event Category: Logon/Logoff
>
> Event ID: 529
>
> Date: 4/26/2005
>
> Time: 6:44:06 AM
>
> User: NT AUTHORITY\SYSTEM
>
> Computer: myserver
>
> Description:
>
> Logon Failure:
>
> Reason: Unknown user name or bad password
>
> User Name: connect
>
> Domain:
>
> Logon Type: 3
>
> Logon Process: Advapi
>
> Authentication Package:
> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>
> Workstation Name: myserver
>
>