Event ID 529 and 680: Logon Failure:

[chicagotech]

I have a case that the VPN client belong to another domain tried to access our domain. The event logs a lot event ID 529. Or more cases can be found here:

Event ID 529
Symptom: There is similar Event ID 529 logged in the Event Viewer. ... Event Source: Security Event Category: Logon/Logoff Event ID: 529. Date: Date ...
www.chicagotech.net/troubleshooting/event529a.htm


--
Bob Lin, Microsoft-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com


> (also posted in security group - wasnt sure of most appropriate
> location)
>
> Running SBS 2003 SP2. Sitting behind a firewall with everything shut
> except the essentials (smtp, https, http, rdp). Very small network (5
> workstations) so I know what is on the LAN. In the last 24 hours I
> have seen LOTS of failed connections from a machine I dont have on a
> domain that is not mine. Events 529 + 680 (shown below).
> NOTE - this is NOT my domain name or one of my workstations. Also note
> that there is no IP number given. The system is rejecting a type 3
> logon (network)....but why wouldnt it show an IP? The authentication
> is NTLM - does this mean it has to be on the LAN........or could it be
> coming in through http/s, smtp, rdp? Nothing else is open.
>
> Any ideas how I can trace this?
>
> Security 529 3/17/2010 1:24 AM 276 *
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: HB-MAIL01$
> Domain: HBJSW
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: HB-MAIL01
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: HB-MAIL01$
> Source Workstation: HB-MAIL01
> Error Code: 0xC0000064