Failure Audit

  • Thread starter Thread starter Mark Berretta
  • Start date Start date
M

Mark Berretta

Hi,

I am getting Event ID 681 and 529 on my webserver.
We have users that use Front Page and other users that are going to a secure
site. They all get in know problem but they still get event ID 681 and 529.
How do I stop the errors from happening? My server is w2k sp4.

Thanks,
Mark
 
It could be from other users trying to gain access that do not have proper
credentials. Check that you only have the proper ports available to internet
access by viewing your firewall setup or better yet doing a port scan from
the outside or going to one of the self scan sites if that is not currently
possible such as http://scan.sygatetech.com/ . These failures could be
coming from lan computers also which should be evidencd by known computer
names in the events. --- Steve
 
The Netowrk person does not want me to do a port scan.
Any other suggestions? I can reproduce the error. I just go to the secure
site from inside and it generates the errors.
 
If you can post one each of the events, it might help. Of course change any
public ip address that may show if any. --- Steve
 
This is what I get

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 1/28/2004
Time: 4:42:07 PM
User: NT AUTHORITY\SYSTEM
Computer: XXX
Description:
The logon to account: (e-mail address removed)
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: xxx
failed. The error code was: 3221225572
 
Thanks. That helps. I am sure that I am not being hacked.
I can reproduce the problem. I have a user go to a webpage that they need to
supply username and password to get in. They get in no problem. But then I
get a 681 on the server.
 
Back
Top