Event ID 529

Tutorials Win: Microsoft Windows Forum

How can I trace this to a source address?

Logon Failure:
 
Reason:
Unknown user name or bad password
 
User Name:
admin
 
Domain:
 
 
Logon Type:
3
 
Logon Process:
Advapi
 
Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 
Workstation Name:
xxxxxxxx
 
Caller User Name:
xxxxxxxx
 
Caller Domain:
xxxxxxxxxxxx
 
Caller Logon ID:
(0x0,0x3E7)
 
Caller Process ID:
324
 
Transited Services:
-
 
Source Network Address:
-
 
Source Port:
-
Top

RE: Event ID 529 by zeiss

zeiss
Fri Mar 28 01:28:00 PDT 2008

If ISA is installed, you could find the IP in the log file. Have a look at
this:

http://www.microsoft.com/technet/security/secnews/articles/sec_sbs2003_network.mspx


"Sam" wrote:

> How can I trace this to a source address?
>
> Logon Failure:
>
> Reason:
> Unknown user name or bad password
>
> User Name:
> admin
>
> Domain:
>
>
> Logon Type:
> 3
>
> Logon Process:
> Advapi
>
> Authentication Package:
> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>
> Workstation Name:
> xxxxxxxx
>
> Caller User Name:
> xxxxxxxx
>
> Caller Domain:
> xxxxxxxxxxxx
>
> Caller Logon ID:
> (0x0,0x3E7)
>
> Caller Process ID:
> 324
>
> Transited Services:
> -
>
> Source Network Address:
> -
>
> Source Port:
> -
>
>
Top

Re: Event ID 529 by Sam

Sam
Sat Mar 29 04:57:24 PDT 2008

On 2008-03-28 04:28:00 -0400, zeiss <zeiss@discussions.microsoft.com> said:

> If ISA is installed, you could find the IP in the log file. Have a look at
> this:
>
> http://www.microsoft.com/technet/security/secnews/articles/sec_sbs2003_network.mspx


"Sam"
>
> wrote:
>
>> How can I trace this to a source address?
>>
>> Logon Failure:
>>
>> Reason:
>> Unknown user name or bad password
>>
>> User Name:
>> admin
>>
>> Domain:
>>
>>
>> Logon Type:
>> 3
>>
>> Logon Process:
>> Advapi
>>
>> Authentication Package:
>> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>>
>> Workstation Name:
>> xxxxxxxx
>>
>> Caller User Name:
>> xxxxxxxx
>>
>> Caller Domain:
>> xxxxxxxxxxxx
>>
>> Caller Logon ID:
>> (0x0,0x3E7)
>>
>> Caller Process ID:
>> 324
>>
>> Transited Services:
>> -
>>
>> Source Network Address:
>> -
>>
>> Source Port:
>> -

ISA is not installed. Its SBS 2003 Standard.

Top

Re: Event ID 529 by zeiss

zeiss
Mon Mar 31 19:50:01 PDT 2008

Check SMTP log to see if you can find the IP. Actually you can skip this
warning if the network is secure.

"Sam" wrote:

> On 2008-03-28 04:28:00 -0400, zeiss <zeiss@discussions.microsoft.com> said:
>
> > If ISA is installed, you could find the IP in the log file. Have a look at
> > this:
> >
> > http://www.microsoft.com/technet/security/secnews/articles/sec_sbs2003_network.mspx
>
>
> "Sam"
> >
> > wrote:
> >
> >> How can I trace this to a source address?
> >>
> >> Logon Failure:
> >>
> >> Reason:
> >> Unknown user name or bad password
> >>
> >> User Name:
> >> admin
> >>
> >> Domain:
> >>
> >>
> >> Logon Type:
> >> 3
> >>
> >> Logon Process:
> >> Advapi
> >>
> >> Authentication Package:
> >> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >>
> >> Workstation Name:
> >> xxxxxxxx
> >>
> >> Caller User Name:
> >> xxxxxxxx
> >>
> >> Caller Domain:
> >> xxxxxxxxxxxx
> >>
> >> Caller Logon ID:
> >> (0x0,0x3E7)
> >>
> >> Caller Process ID:
> >> 324
> >>
> >> Transited Services:
> >> -
> >>
> >> Source Network Address:
> >> -
> >>
> >> Source Port:
> >> -
>
> ISA is not installed. Its SBS 2003 Standard.
>
>
Top