Logon/Logoff Failure Audit - Event 537 in Windows Server 2..

Archived from groups: microsoft.public.win2000.security (More info?)

I have a W2k3 RTM member server (2003 domain) running IIS, Microsoft
Operations Manager 2005 and CA Unicenter Automation Point v4 SP3 + HP
Proliant Essentials (compaq support paq) 7.3.

I am seeing event 537 logon failure audits twice per minute in the Secuirty
Log. All the events look the same:

Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000009A
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -

There's not a lot to go on. I tried MSKB and EventID and there were no
obvious references. Article 318922 talks about domain controllers and NT4,
and 327889 talks about using local accounts in WinXP but implies that a user
name should be logged as part of the event.

I am not sure if 0xC000009A is related to the error
"STATUS_INSUFFICIENT_RESOURCES" or not but a quick perfmon shows 19.8 Mb of
Pool Nonpaged Bytes which seems OK compared to my other servers.

Any ideas?

Thanks
- Adam
4 answers Last reply
More about logon logoff failure audit event windows server
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    "" wrote:
    > I have a W2k3 RTM member server (2003 domain) running IIS,
    > Microsoft
    > Operations Manager 2005 and CA Unicenter Automation Point v4
    > SP3 + HP
    > Proliant Essentials (compaq support paq) 7.3.
    >
    > I am seeing event 537 logon failure audits twice per minute in
    > the Secuirty
    > Log. All the events look the same:
    >
    > Logon Failure:
    > Reason: An error occurred during logon
    > User Name:
    > Domain:
    > Logon Type: 3
    > Logon Process: Kerberos
    > Authentication Package: Kerberos
    > Workstation Name: -
    > Status code: 0xC000009A
    > Substatus code: 0x0
    > Caller User Name: -
    > Caller Domain: -
    > Caller Logon ID: -
    > Caller Process ID: -
    > Transited Services: -
    > Source Network Address: -
    > Source Port: -
    >
    > There's not a lot to go on. I tried MSKB and EventID and there
    > were no
    > obvious references. Article 318922 talks about domain
    > controllers and NT4,
    > and 327889 talks about using local accounts in WinXP but
    > implies that a user
    > name should be logged as part of the event.
    >
    > I am not sure if 0xC000009A is related to the error
    > "STATUS_INSUFFICIENT_RESOURCES" or not but a quick perfmon
    > shows 19.8 Mb of
    > Pool Nonpaged Bytes which seems OK compared to my other
    > servers.
    >
    > Any ideas?
    >
    > Thanks
    > - Adam

    Hi,

    See if the following helps
    http://www.eventid.net/display.asp?eventid=537&eventno=194&source=Security&phase=1

    Cheers,

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Security-Logon-Logoff-Failure-Audit-Event-537-Windows-Server-2003-ftopict552978.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1754298
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Yeah, already looked there and there was nothing obviously similar. Thanks

    - Adam

    "Jorge_de_Almeida_Pinto" wrote:

    > "" wrote:
    > > I have a W2k3 RTM member server (2003 domain) running IIS,
    > > Microsoft
    > > Operations Manager 2005 and CA Unicenter Automation Point v4
    > > SP3 + HP
    > > Proliant Essentials (compaq support paq) 7.3.
    > >
    > > I am seeing event 537 logon failure audits twice per minute in
    > > the Secuirty
    > > Log. All the events look the same:
    > >
    > > Logon Failure:
    > > Reason: An error occurred during logon
    > > User Name:
    > > Domain:
    > > Logon Type: 3
    > > Logon Process: Kerberos
    > > Authentication Package: Kerberos
    > > Workstation Name: -
    > > Status code: 0xC000009A
    > > Substatus code: 0x0
    > > Caller User Name: -
    > > Caller Domain: -
    > > Caller Logon ID: -
    > > Caller Process ID: -
    > > Transited Services: -
    > > Source Network Address: -
    > > Source Port: -
    > >
    > > There's not a lot to go on. I tried MSKB and EventID and there
    > > were no
    > > obvious references. Article 318922 talks about domain
    > > controllers and NT4,
    > > and 327889 talks about using local accounts in WinXP but
    > > implies that a user
    > > name should be logged as part of the event.
    > >
    > > I am not sure if 0xC000009A is related to the error
    > > "STATUS_INSUFFICIENT_RESOURCES" or not but a quick perfmon
    > > shows 19.8 Mb of
    > > Pool Nonpaged Bytes which seems OK compared to my other
    > > servers.
    > >
    > > Any ideas?
    > >
    > > Thanks
    > > - Adam
    >
    > Hi,
    >
    > See if the following helps
    > http://www.eventid.net/display.asp?eventid=537&eventno=194&source=Security&phase=1
    >
    > Cheers,
    >
    > --
    > Posted using the http://www.windowsforumz.com interface, at author's request
    > Articles individually checked for conformance to usenet standards
    > Topic URL: http://www.windowsforumz.com/Security-Logon-Logoff-Failure-Audit-Event-537-Windows-Server-2003-ftopict552978.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1754298
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    If the info recorded in the message is correct, then it looks for all
    the world as if an anonymous access is being attempted (??).
    I would suspect one of CA Unicenter Automation Point v4 SP3
    or HP Proliant Essentials (compaq support paq) 7.3
    with my bets placed on the last one.
    Just why this would be specifying/negotiating a Kerberos binding
    for the provider is another issue, but I guess this is machine local.

    Have you tried narrowing this down by shutting off these
    selectively to see if the event message goes away?
    --
    Roger Abell
    Microsoft MVP (Windows Security)

    "Adam White" <AdamWhite@discussions.microsoft.com> wrote in message
    news:72A5BD1B-6024-4410-9B14-365757DF87A2@microsoft.com...
    > I have a W2k3 RTM member server (2003 domain) running IIS, Microsoft
    > Operations Manager 2005 and CA Unicenter Automation Point v4 SP3 + HP
    > Proliant Essentials (compaq support paq) 7.3.
    >
    > I am seeing event 537 logon failure audits twice per minute in the
    Secuirty
    > Log. All the events look the same:
    >
    > Logon Failure:
    > Reason: An error occurred during logon
    > User Name:
    > Domain:
    > Logon Type: 3
    > Logon Process: Kerberos
    > Authentication Package: Kerberos
    > Workstation Name: -
    > Status code: 0xC000009A
    > Substatus code: 0x0
    > Caller User Name: -
    > Caller Domain: -
    > Caller Logon ID: -
    > Caller Process ID: -
    > Transited Services: -
    > Source Network Address: -
    > Source Port: -
    >
    > There's not a lot to go on. I tried MSKB and EventID and there were no
    > obvious references. Article 318922 talks about domain controllers and NT4,
    > and 327889 talks about using local accounts in WinXP but implies that a
    user
    > name should be logged as part of the event.
    >
    > I am not sure if 0xC000009A is related to the error
    > "STATUS_INSUFFICIENT_RESOURCES" or not but a quick perfmon shows 19.8 Mb
    of
    > Pool Nonpaged Bytes which seems OK compared to my other servers.
    >
    > Any ideas?
    >
    > Thanks
    > - Adam
Ask a new question

Read More

Windows Server Microsoft Windows