|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Auditing enabled but Logon Failures not showing up
thenile
ziplip.com
Date: Mon Oct 27 2003 - 01:54:50 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> > Step 3: Joes tries to logon on with wrong password and staright away tries
> > to log on with right password, event 529 show up on DCs.
>
> I assume even when Joe does log on with the right password first,
> you get a 529 on the DC?
NO, nothing shows up in the DCs logs when there is a succesfull local login. The only account which exists locally on all machines is the renamed Admin account, all users are domain users. I have only created local users for testing and they do not map any shares. By the way, the local users have different usernames from the domain users.
When Dave mentioned the specific event id's, I thought he was only after the id and not the event, sorry about that so here is the event which shows in the DCs when trying to log on to a local machine with the wrong password:
--------------------------------Event id 529 -------------------
Logon Failure:
Reason: Unknown user name or bad password
User Name: thenileLocalAcct
Domain: thenileLocalMachine
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\thenileLocalMachine
------------------------------Event id 528 ---------------------
When a client logs on succefully to the domain, this shows up:
Successful Logon:
User Name: thenileDomainAcct
Domain: DomainName
Logon ID: Logon ID removed
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\thenileLocalMachine
-----------------------------------------------------
So again, my main problem is that when a user tries to log on to the domain with the wrong password No events are showing up. After that person tries for n times, his/her account gets locked out as per setting in the policies in the user manager.
From the google post I included previously it seems that other people have exeperienced the same problem. I have also received two different emails of ppl asking if I managed to get answers for this problem because they are facing the same issue.
If I have omitted any details, please let me know and I will provide it.
Your help is greatly appreciated.
Thenile
> The reason could be:
> On some earlier session, Joe did make a network connection to the DC.
> This connection used another account, because a local account normally
> can't connect to the DC. Joe did use the option "reconnect again..."
> Now when Joe logs on again, the WS tries to reestablish the connection
> to the network share, but it has no or the wrong password.
>
> If my assumption is wrong, you really should provide the entire output of
> the 529 event on the DC, as other members on the list already
> suggested.
>
>
>
> Frank Heyne
>
>
---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]