Re: Account logon failed

[Doug Massey <doug () masseytechnologies com>]

This is a common event with Microsoft networking products and 
seems to show up more with AD than NT.  I bet it happens, if 
you check the times, very rapidly from one server to the 
next.  In fact, faster than one would think a person could 
provide.  Check each of the servers attempted, If they have 
printers attached or shared, this is likely the culprit.  If 
this is the case, then the machine attempting logon is 
actually trying to load a printer and is searching local 
networks for printers.  That creates the attempted logon.  
Again, if these symptons are there, not much you can do but 
try to filter.  Maybe it can be blocked at a firewall.

---- Original message ----
> Date: Thu, 21 Aug 2003 16:28:48 +0100
> From: Alastair Cook <Alastair.Cook () crown uk com>  
> Subject: Account logon failed  
> To: security-basics () securityfocus com
>
> Hi, does anyone know what this error means, or specifically 
how to stop it!
> I'm getting it in the security log on numerous servers in 
one domain from a
> machine in another domain - no trust exists
>
> ---
> Event Type:    Failure Audit
> Event Source:  Security
> Event Category:        Account Logon 
> Event ID:      681
> Date:          21/08/2003
> Time:          15:49:30
> User:          NT AUTHORITY\SYSTEM
> Computer:      in domain A
> Description:
> The logon to account: in domain b
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: in domain b
> failed. The error code was: 3221225572
> ---
>
> It looks like this machine is trying to log on to servers in 
one domain
> using a domain account in it's own domain
>
> Any ideas, there's not much I could find on the internet and 
it's driving me
> nuts
>
> Thanks, Ali
>
> ----------------------- 
> This email is confidential and intended solely for the use 
of the individual
> to whom it is addressed. Any views or opinions presented are 
solely those of
> the author and do not necessarily represent those of 
Alphameric Hospitality.
> If you are not the intended recipient, be advised that you 
received this
> email in error and that any use, dissemination, forwarding, 
printing, or
> copying of this email is strictly prohibited. If you have 
received this
> email in error please notify the sender.
>
>
> -------------------------------------------------------------
--------------
> -------------------------------------------------------------
---------------
>
Doug Massey
Massey Technologies, Inc.
301-717-6404

---------------------------------------------------------------------------
----------------------------------------------------------------------------