Failure Audit 537 in Event Log

Tutorials Win: Microsoft Windows Forum

Got a couple of SBS 2003 Premium servers (patched to SP2) which have
started getting the following entries in their Security Event Logs
recently:

---------------

Type: Failure Audit
Event ID: 537
User: NT AUTHORITY\SYSTEM
Computer: SBS

Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: =D0=F9S=08=FC=A0=82|
Authentication Package: NTLM
Workstation Name:
Status code: 0x80090308
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

---------------

The characters under 'Logon Process' change with every entry but
everything else is the same. The only change that's occurred recently
on both servers is that they've been upgraded From Trend CSM 3.6 to
WFBS Advanced 5.0 & are both running the OfficeScan site under IIS
with SSL turned off (port 4343) following the instructions on the
Trend Website to avoid a conflict with ISA 2004.

Any ideas?

Jonathan
Top

Re: Failure Audit 537 in Event Log by Jim

Jim
Tue Jun 24 14:01:28 PDT 2008

I'm in the same boat, upgraded to WFBS Advanced 5.0 and have thousands of
these daily. I have an open ticket with Trend. If I/we figure it out, I'll
post it.

Jim G.


<jdseymour1978@googlemail.com> wrote in message
news:fb357b99-3453-4959-94a8-a0cf35152067@l64g2000hse.googlegroups.com...
Got a couple of SBS 2003 Premium servers (patched to SP2) which have
started getting the following entries in their Security Event Logs
recently:

---------------

Type: Failure Audit
Event ID: 537
User: NT AUTHORITY\SYSTEM
Computer: SBS

Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: ÐùSü ?|
Authentication Package: NTLM
Workstation Name:
Status code: 0x80090308
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

---------------

The characters under 'Logon Process' change with every entry but
everything else is the same. The only change that's occurred recently
on both servers is that they've been upgraded From Trend CSM 3.6 to
WFBS Advanced 5.0 & are both running the OfficeScan site under IIS
with SSL turned off (port 4343) following the instructions on the
Trend Website to avoid a conflict with ISA 2004.

Any ideas?

Jonathan


Top

Re: Failure Audit 537 in Event Log by v-gzwang

v-gzwang
Wed Jun 25 03:01:03 PDT 2008

Hello Jonathan,

Thank you for your post.
My name is Gary Wang, and it is my pleasure to work with you on this issue!
Please allow me to confirm that my understandings are correct. As I
understand it, the issue is:

You get the event 537 in SBS event log.

If I have misunderstood your concerns please feel free to let me know.

Suggestion :
==============
It seems your issue most likely be caused by the application upgrade. It
should related to the changes which have been made during the upgrade
process on SBS server. And the third party software(WFBS) may attempting to
connect SBS service with wrong credential. So I would like to suggest that
you to contact Trend Micro's technical support for more information.

By the way, let's perform a Clean Boot. A Clean Boot will allow us to
isolate any programs that are loading at startup that may be causing a
conflict with other device drivers or programs that are installed in your
computer.

1) Run MSCONFIG.EXE. (MSCONFIG is a built-in tool for Windows XP\2003
systems.)

2) In the Services tab, click "Hide All Microsoft Services" and click
"Disable All". Please note that the Exchange services could be marked as
non-Microsoft. Please do not disable those services.

3) In the Startup tab, click "Disable All". Click OK. (This will
temporarily prevent third-party programs from running automatically during
start-up.)

4) Restart the computer. Does the problem still persist?

If the problem does not occur, it indicates that the problem is related to
one application or service we have disabled. You can use the MSCONFIG tool
again to re-enable the disabled item one by one to find out the culprit.

If we cannot resolve the issue after we perform the above steps, please
help me collect some information for further investigation:

Information Need
==============
1. Check event viewer for related information, please help save it to *.evt
and send to me.
2. Is there any other impact except the error log?

My email address is v-gzwang@microsoft.com

I look forward to your reply. Also, if you have any questions or concerns,
please do not hesitate to let me know. I am happy to help. :-)

Thank you for your time and cooperation!

Best regards,

Gary Wang(MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Jim G" <Jim @ somewhere.net>
| References:
<fb357b99-3453-4959-94a8-a0cf35152067@l64g2000hse.googlegroups.com>
| Subject: Re: Failure Audit 537 in Event Log
| Date: Tue, 24 Jun 2008 17:01:28 -0400
| Lines: 56
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
| X-RFC2646: Format=Flowed; Original
| Message-ID: <#zLE91j1IHA.1240@TK2MSFTNGP02.phx.gbl>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 162.95.80.228
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:112921
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I'm in the same boat, upgraded to WFBS Advanced 5.0 and have thousands of
| these daily. I have an open ticket with Trend. If I/we figure it out,
I'll
| post it.
|
| Jim G.
|
|
| <jdseymour1978@googlemail.com> wrote in message
| news:fb357b99-3453-4959-94a8-a0cf35152067@l64g2000hse.googlegroups.com...
| Got a couple of SBS 2003 Premium servers (patched to SP2) which have
| started getting the following entries in their Security Event Logs
| recently:
|
| ---------------
|
| Type: Failure Audit
| Event ID: 537
| User: NT AUTHORITY\SYSTEM
| Computer: SBS
|
| Logon Failure:
| Reason: An error occurred during logon
| User Name:
| Domain:
| Logon Type: 3
| Logon Process: ÐùS??|
| Authentication Package: NTLM
| Workstation Name:
| Status code: 0x80090308
| Substatus code: 0x0
| Caller User Name: -
| Caller Domain: -
| Caller Logon ID: -
| Caller Process ID: -
| Transited Services: -
| Source Network Address: -
| Source Port: -
|
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
| ---------------
|
| The characters under 'Logon Process' change with every entry but
| everything else is the same. The only change that's occurred recently
| on both servers is that they've been upgraded From Trend CSM 3.6 to
| WFBS Advanced 5.0 & are both running the OfficeScan site under IIS
| with SSL turned off (port 4343) following the instructions on the
| Trend Website to avoid a conflict with ISA 2004.
|
| Any ideas?
|
| Jonathan
|
|
|

Top