Announcement

Collapse
No announcement yet.

A question related to Windows Security logs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • A question related to Windows Security logs

    Hi, I have a application which has client server architecture. I am facing problems in connecting to server using client MMC from some workstations. The error message I am getting is

    "Failed to connect to Administration Service on '<servername>'.
    A security package specific error occurred."

    But from some workstations I am able to login without any issues. One thing I observed is.....

    When client Connection is working, I am seeing the below sequence of events in security logs of the server:
    --------------------------------------------------------------
    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 540
    Date: 2/20/2008
    Time: 3:38:20 PM
    User: Domain\user1
    Computer: SERVERNAME
    Description:
    Successful Network Logon:
    User Name: user1
    Domain: DOMAIN
    Logon ID: (0x0,0x3372E6BC)
    Logon Type: 3
    Logon Process: Kerberos
    Authentication Package: Kerberos
    Workstation Name:
    Logon GUID: {e621ffd2-7661-1800-ed87-32a61d875491}
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: xxx.xxx.xxx.xxxx
    Source Port: 4231


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 540
    Date: 2/20/2008
    Time: 3:38:20 PM
    User: DOMAIN\user1
    Computer: SERVERNAME
    Description:
    Successful Network Logon:
    User Name: user1
    Domain: DOMIAN
    Logon ID: (0x0,0x3372EB50)
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: MYWORKSTATION
    Logon GUID: -
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: xxx.xxx.xxx.xxx
    Source Port: 4233


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    -----------------------------------------------------------------

    When client connection is failing I am able to see only the first event on the server (i.e kerberose related) not the NTLM related event.

    Can someone tell me the reason for its failure? It looks like more of authentication problem.

    Thanks,
    Sitaram

  • #2
    Re: A question related to Windows Security logs

    In addition, I am getting the below error event in system log when ever the connection fails.

    Event Type: Warning
    Event Source: LSASRV
    Event Category: SPNEGO (Negotiator)
    Event ID: 40960
    Date: 2/4/2008
    Time: 5:57:47 PM
    User: N/A
    Computer: MY MACHINE
    Description:
    The Security System detected an attempted downgrade attack for server arssvc/myserver.domain.com. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
    (0xc000005e)".

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Comment

    Working...
    X