Sign in with
Sign up | Sign in
Your question

Logon/Logoff Failure Audit - Event 537 in Windows Server 2..

Last response: in Windows 2000/NT
Share
Anonymous
July 4, 2005 2:26:03 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I have a W2k3 RTM member server (2003 domain) running IIS, Microsoft
Operations Manager 2005 and CA Unicenter Automation Point v4 SP3 + HP
Proliant Essentials (compaq support paq) 7.3.

I am seeing event 537 logon failure audits twice per minute in the Secuirty
Log. All the events look the same:

Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000009A
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -

There's not a lot to go on. I tried MSKB and EventID and there were no
obvious references. Article 318922 talks about domain controllers and NT4,
and 327889 talks about using local accounts in WinXP but implies that a user
name should be logged as part of the event.

I am not sure if 0xC000009A is related to the error
"STATUS_INSUFFICIENT_RESOURCES" or not but a quick perfmon shows 19.8 Mb of
Pool Nonpaged Bytes which seems OK compared to my other servers.

Any ideas?

Thanks
- Adam
Anonymous
July 4, 2005 7:37:33 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"" wrote:
> I have a W2k3 RTM member server (2003 domain) running IIS,
> Microsoft
> Operations Manager 2005 and CA Unicenter Automation Point v4
> SP3 + HP
> Proliant Essentials (compaq support paq) 7.3.
>
> I am seeing event 537 logon failure audits twice per minute in
> the Secuirty
> Log. All the events look the same:
>
> Logon Failure:
> Reason: An error occurred during logon
> User Name:
> Domain:
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name: -
> Status code: 0xC000009A
> Substatus code: 0x0
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> There's not a lot to go on. I tried MSKB and EventID and there
> were no
> obvious references. Article 318922 talks about domain
> controllers and NT4,
> and 327889 talks about using local accounts in WinXP but
> implies that a user
> name should be logged as part of the event.
>
> I am not sure if 0xC000009A is related to the error
> "STATUS_INSUFFICIENT_RESOURCES" or not but a quick perfmon
> shows 19.8 Mb of
> Pool Nonpaged Bytes which seems OK compared to my other
> servers.
>
> Any ideas?
>
> Thanks
> - Adam

Hi,

See if the following helps
http://www.eventid.net/display.asp?eventid=537&eventno=...

Cheers,

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Security-Logon-Logoff-Fail...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1754298
Anonymous
July 5, 2005 5:20:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Yeah, already looked there and there was nothing obviously similar. Thanks

- Adam

"Jorge_de_Almeida_Pinto" wrote:

> "" wrote:
> > I have a W2k3 RTM member server (2003 domain) running IIS,
> > Microsoft
> > Operations Manager 2005 and CA Unicenter Automation Point v4
> > SP3 + HP
> > Proliant Essentials (compaq support paq) 7.3.
> >
> > I am seeing event 537 logon failure audits twice per minute in
> > the Secuirty
> > Log. All the events look the same:
> >
> > Logon Failure:
> > Reason: An error occurred during logon
> > User Name:
> > Domain:
> > Logon Type: 3
> > Logon Process: Kerberos
> > Authentication Package: Kerberos
> > Workstation Name: -
> > Status code: 0xC000009A
> > Substatus code: 0x0
> > Caller User Name: -
> > Caller Domain: -
> > Caller Logon ID: -
> > Caller Process ID: -
> > Transited Services: -
> > Source Network Address: -
> > Source Port: -
> >
> > There's not a lot to go on. I tried MSKB and EventID and there
> > were no
> > obvious references. Article 318922 talks about domain
> > controllers and NT4,
> > and 327889 talks about using local accounts in WinXP but
> > implies that a user
> > name should be logged as part of the event.
> >
> > I am not sure if 0xC000009A is related to the error
> > "STATUS_INSUFFICIENT_RESOURCES" or not but a quick perfmon
> > shows 19.8 Mb of
> > Pool Nonpaged Bytes which seems OK compared to my other
> > servers.
> >
> > Any ideas?
> >
> > Thanks
> > - Adam
>
> Hi,
>
> See if the following helps
> http://www.eventid.net/display.asp?eventid=537&eventno=...
>
> Cheers,
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's request
> Articles individually checked for conformance to usenet standards
> Topic URL: http://www.windowsforumz.com/Security-Logon-Logoff-Fail...
> Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1754298
>
Related resources
Anonymous
July 6, 2005 3:47:30 AM

Archived from groups: microsoft.public.win2000.security (More info?)

If the info recorded in the message is correct, then it looks for all
the world as if an anonymous access is being attempted (??).
I would suspect one of CA Unicenter Automation Point v4 SP3
or HP Proliant Essentials (compaq support paq) 7.3
with my bets placed on the last one.
Just why this would be specifying/negotiating a Kerberos binding
for the provider is another issue, but I guess this is machine local.

Have you tried narrowing this down by shutting off these
selectively to see if the event message goes away?
--
Roger Abell
Microsoft MVP (Windows Security)

"Adam White" <AdamWhite@discussions.microsoft.com> wrote in message
news:72A5BD1B-6024-4410-9B14-365757DF87A2@microsoft.com...
> I have a W2k3 RTM member server (2003 domain) running IIS, Microsoft
> Operations Manager 2005 and CA Unicenter Automation Point v4 SP3 + HP
> Proliant Essentials (compaq support paq) 7.3.
>
> I am seeing event 537 logon failure audits twice per minute in the
Secuirty
> Log. All the events look the same:
>
> Logon Failure:
> Reason: An error occurred during logon
> User Name:
> Domain:
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name: -
> Status code: 0xC000009A
> Substatus code: 0x0
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> There's not a lot to go on. I tried MSKB and EventID and there were no
> obvious references. Article 318922 talks about domain controllers and NT4,
> and 327889 talks about using local accounts in WinXP but implies that a
user
> name should be logged as part of the event.
>
> I am not sure if 0xC000009A is related to the error
> "STATUS_INSUFFICIENT_RESOURCES" or not but a quick perfmon shows 19.8 Mb
of
> Pool Nonpaged Bytes which seems OK compared to my other servers.
>
> Any ideas?
>
> Thanks
> - Adam
!