Click here to get back home

Security Log - Events 680, 529 and 675 for NT AUTHORITY\SYSTEM every two minutes
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Security Log - Events 680, 529 and 675 for NT AUTHORITY\SYSTEM every two minutes Stuart 02-05-2006
Get Chitika Premium
Posted by Stuart on February 5, 2006, 11:50 am
Please log in for more thread options
 Hi. On our SBS 2k3 Premium Server SP1 we are currently getting a large
number of the Failure Audits for the NT AUTHORITY\SYSTEM. In particular we
get 680, 529 and 675 in a block roughly every 2 minutes, but can also get
680 and 529 together or 675 on it's own. So far I haven't been able to work
out why they have suddenly started occurring. What I've managed to work out
so far is the fault either started after the ISA 2004 upgrade as part of
SP1 install or after two recent KB updates, although it may coincidental.

Unfortunately I'm no further to working out what is causing the entries. If
anyone has any advice it would be appreciated.

Thanks,
Stuart.

Event 680:
Logon Attempt By: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: [ServerName]$
Source Workstation: [ServerName]
Error Code: 0xC000006A

Event 529:
Logon Failure:
Reason: Unknown user name or bad password
Username: [ServerName]$
Logon Type: 3
Logon Process: NtLmSsp
Workstation Name: [ServerName]

Event 675
Preauthentication failed:
Username [ServerName]
User : DOMAIN\[ServerName]
Service Name: krbtgt/DOMAIN.LOCAL
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1




Posted by Susan Bradley, CPA aka Ebitz - on February 5, 2006, 12:28 pm
Please log in for more thread options
 This is only at the server right?

Got any of the following?

1. HP printer monitor software on a workstation
2. NIC helper software from Intel?

Uninstall them.

I had 60,000 failure audits on my DC due to the HP printer monitor software.

Stuart wrote:
> Hi. On our SBS 2k3 Premium Server SP1 we are currently getting a large
> number of the Failure Audits for the NT AUTHORITY\SYSTEM. In particular we
> get 680, 529 and 675 in a block roughly every 2 minutes, but can also get
> 680 and 529 together or 675 on it's own. So far I haven't been able to work
> out why they have suddenly started occurring. What I've managed to work out
> so far is the fault either started after the ISA 2004 upgrade as part of
> SP1 install or after two recent KB updates, although it may coincidental.
>
> Unfortunately I'm no further to working out what is causing the entries. If
> anyone has any advice it would be appreciated.
>
> Thanks,
> Stuart.
>
> Event 680:
> Logon Attempt By: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon Account: [ServerName]$
> Source Workstation: [ServerName]
> Error Code: 0xC000006A
>
> Event 529:
> Logon Failure:
> Reason: Unknown user name or bad password
> Username: [ServerName]$
> Logon Type: 3
> Logon Process: NtLmSsp
> Workstation Name: [ServerName]
>
> Event 675
> Preauthentication failed:
> Username [ServerName]
> User : DOMAIN\[ServerName]
> Service Name: krbtgt/DOMAIN.LOCAL
> Pre-Authentication Type: 0x2
> Failure Code: 0x18
> Client Address: 127.0.0.1
>
>
>
>

Posted by Stuart on February 5, 2006, 12:37 pm
Please log in for more thread options
Hi Susan, thanks for the quick response. We don't have an NIC Helper
software, but there is an HP Photosmart printer (connected via network
connection) used by one workstation. The printer and driver software has
been running for quite some time before the errors started occuring but I'll
have a look into it. Would the HP software on a standalone
printer/workstation be able to generate authantication errors like this on
the DC (the software is not installed on the DC itself) ?

Thanks again,
Stuart.

> This is only at the server right?
>
> Got any of the following?
>
> 1. HP printer monitor software on a workstation
> 2. NIC helper software from Intel?
>
> Uninstall them.
>
> I had 60,000 failure audits on my DC due to the HP printer monitor
> software.
>
> Stuart wrote:
>> Hi. On our SBS 2k3 Premium Server SP1 we are currently getting a large
>> number of the Failure Audits for the NT AUTHORITY\SYSTEM. In particular
>> we get 680, 529 and 675 in a block roughly every 2 minutes, but can also
>> get 680 and 529 together or 675 on it's own. So far I haven't been able
>> to work out why they have suddenly started occurring. What I've managed
>> to work out so far is the fault either started after the ISA 2004 upgrade
>> as part of SP1 install or after two recent KB updates, although it may
>> coincidental.
>>
>> Unfortunately I'm no further to working out what is causing the entries.
>> If anyone has any advice it would be appreciated.
>>
>> Thanks,
>> Stuart.
>>
>> Event 680:
>> Logon Attempt By: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> Logon Account: [ServerName]$
>> Source Workstation: [ServerName]
>> Error Code: 0xC000006A
>>
>> Event 529:
>> Logon Failure:
>> Reason: Unknown user name or bad password
>> Username: [ServerName]$
>> Logon Type: 3
>> Logon Process: NtLmSsp
>> Workstation Name: [ServerName]
>>
>> Event 675
>> Preauthentication failed:
>> Username [ServerName]
>> User : DOMAIN\[ServerName]
>> Service Name: krbtgt/DOMAIN.LOCAL
>> Pre-Authentication Type: 0x2
>> Failure Code: 0x18
>> Client Address: 127.0.0.1
>>
>>
>>
>>



Posted by Susan Bradley, CPA aka Ebitz - on February 5, 2006, 1:47 pm
Please log in for more thread options
That's exactly what happened in my office.

A desktop installed printer caused 60,000 Kerb errors on the DC.

Stuart wrote:
> Hi Susan, thanks for the quick response. We don't have an NIC Helper
> software, but there is an HP Photosmart printer (connected via network
> connection) used by one workstation. The printer and driver software has
> been running for quite some time before the errors started occuring but I'll
> have a look into it. Would the HP software on a standalone
> printer/workstation be able to generate authantication errors like this on
> the DC (the software is not installed on the DC itself) ?
>
> Thanks again,
> Stuart.
>
>
>> This is only at the server right?
>>
>> Got any of the following?
>>
>> 1. HP printer monitor software on a workstation
>> 2. NIC helper software from Intel?
>>
>> Uninstall them.
>>
>> I had 60,000 failure audits on my DC due to the HP printer monitor
>> software.
>>
>> Stuart wrote:
>>
>>> Hi. On our SBS 2k3 Premium Server SP1 we are currently getting a large
>>> number of the Failure Audits for the NT AUTHORITY\SYSTEM. In particular
>>> we get 680, 529 and 675 in a block roughly every 2 minutes, but can also
>>> get 680 and 529 together or 675 on it's own. So far I haven't been able
>>> to work out why they have suddenly started occurring. What I've managed
>>> to work out so far is the fault either started after the ISA 2004 upgrade
>>> as part of SP1 install or after two recent KB updates, although it may
>>> coincidental.
>>>
>>> Unfortunately I'm no further to working out what is causing the entries.
>>> If anyone has any advice it would be appreciated.
>>>
>>> Thanks,
>>> Stuart.
>>>
>>> Event 680:
>>> Logon Attempt By: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>>> Logon Account: [ServerName]$
>>> Source Workstation: [ServerName]
>>> Error Code: 0xC000006A
>>>
>>> Event 529:
>>> Logon Failure:
>>> Reason: Unknown user name or bad password
>>> Username: [ServerName]$
>>> Logon Type: 3
>>> Logon Process: NtLmSsp
>>> Workstation Name: [ServerName]
>>>
>>> Event 675
>>> Preauthentication failed:
>>> Username [ServerName]
>>> User : DOMAIN\[ServerName]
>>> Service Name: krbtgt/DOMAIN.LOCAL
>>> Pre-Authentication Type: 0x2
>>> Failure Code: 0x18
>>> Client Address: 127.0.0.1
>>>
>>>
>>>
>>>
>>>
>
>
>

Similar ThreadsPosted
KB 925902 causes SceCli 1202 warning events every 5 minutes April 19, 2007, 12:31 pm
Auditing Security Events May 10, 2007, 1:54 am
Follow-up to Empty 529 Events in Security Log July 27, 2006, 12:02 pm
Multiple 538 and 540 ID's in 2003 server Security Events Log? August 23, 2006, 12:58 am
Logon/Logoff Events in Local Security Log of Terminal Server July 20, 2007, 2:39 pm
SMTPSVC events June 13, 2006, 9:11 am
How to store windows events log in remote server July 31, 2005, 6:44 pm
All I want to do is audit "delete" events, but log gets massive: how to do effiecntly? November 3, 2005, 8:59 am
audit logon/logoff events on terminal server July 18, 2007, 10:29 am
No MACHINE$ inside "Audit account logon events" November 26, 2008, 4:14 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap