Event ID 529 and 675 W/O Account Lockout or Errors on account used for backups

I have been receiving these errors in the sbs log ever since changing
the beadmin password. The account login/pw has been validated and
works. The account doesn't get locked out. I have checked all BE
services and media server account - they're correct too. There are no
accounts logged in at the server, rdp either. These errors are minimal
in their occurrences, and only happen when the job runs- each night.
Help please :)


Critical Errors in Security Log

Source Event ID Last Occurrence Total Occurrences
Security 529 4/9/2007 1:45 AM 2 *
Logon Failure:
Reason: Unknown user name or bad password
User Name: beupaccount
Domain: ServerDomain
Logon Type: 4
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: Server
Caller User Name: Server$
Caller Domain: ServerDomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1508
Transited Services: -
Source Network Address: -
Source Port: -


Source Event ID Last Occurrence Total Occurrences
Security 675 4/9/2007 1:45 AM 2 *
Pre-authentication failed:
User Name: beupaccount
User ID: ServerDomain\beupaccount
Service Name: krbtgt/ServerDomain
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1

Hi Geoff,

Thanks for posting here.

From your problem description, I understand this issue to be: you receive
security event 529 and 675 on your SBS 2k3 server. If I am off base, please
do not hesitate to let me know.

Type 0x2 means "Encoded timestamp" and failure code 0x18 means
"Pre-authentication information was invalid".


Logon Type 4 – Batch
When Windows executes a scheduled task, the Scheduled Task service first
creates a new logon session for the task so that it can run under the
authority of the user account specified when the task was created. When
this logon attempt occurs, Windows logs it as logon type 4. Other job
scheduling systems, depending on their design, may also generate logon
events with logon type 4 when starting jobs. Logon type 4 events are
usually just innocent scheduled tasks startups but a malicious user could
try to subvert security by trying to guess the password of an account
through scheduled tasks. Such attempts would generate a logon failure event
where logon type is 4. But logon failures associated with scheduled tasks
can also result from an administrator entering the wrong password for the
account at the time of task creation or from the password of an account
being changed without modifying the scheduled task to use the new password.

Please refer to the following article

http://www.windowsecurity.com/articles/Logon-Types.html


Regarding this situation, I would like to give the following suggestions:

1.Type 0x2 means "encoded timestamp", so the Authenticator failed. The
failure might be due to time skew > 5 minutes. Check the time/timezone on
the client and on all the server to make sure that they are synchronized.

2.rerun backup configuation wizard.

3.If issue persists,go to control panel,scheduled tasks,backup small
business server,change the run as: yourdomainname\administrator,click set
password,enter domain admin password.

the step means to use domain admin to perform backup job,not default SBS
Backup user.

4.If issue still occur,perform a clean boot.

a. Click Start -> Run
b. Input msconfig and click OK.
c. Click Service Tab and check Hide all Microsoft Services and click
Disable All.
d. Click Startup Tab and click Disable All.
e. Click OK and reboot the computer and test again.

Please test this issue in the Clean Boot environment

5. Please enforce the strong password policy and make sure passwords are
well managed throughout your network.


In addition,please let me know the following information:

1.Is the server name "server"?

2.which user did you change the password?please let me know the actual user
name.

3.%systemroot%\System32\config\SecEvent.Evt,please compress the file and
send to me at v-jaluo@microsoft.com


Thanks for your time, Please try the suggestions above and let me know the
results at your earliest convenience. I look forward to hearing from you
soon.

Have a nice day!

Best regards,

Jacky Luo (MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
================================================== ==
PLEASE NOTE: The partner managed newsgroups are provided to
assist with break/fix issues and simple how to questions.
We also love to hear your product feedback! Let us know what you think by
posting

from the web interface: Partner Feedback
from your newsreader: microsoft.private.directaccess.partnerfeedback.

We look forward to hearing from you!
================================================== ==
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
================================================== ==
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ==

On Apr 10, 5:57 am, v-ja...@online.microsoft.com ("Jacky Luo [MSFT]")
wrote:
> Hi Geoff,
>
> Thanks for posting here.
>
> From your problem description, I understand this issue to be: you receive
> securityevent529 and 675 on your SBS 2k3 server. If I am off base, please
> do not hesitate to let me know.
>
> Type 0x2 means "Encoded timestamp" and failure code 0x18 means
> "Pre-authentication information was invalid".
>
> Logon Type 4 - Batch
> When Windows executes a scheduled task, the Scheduled Task service first
> creates a new logon session for the task so that it can run under the
> authority of the useraccountspecified when the task was created. When
> this logon attempt occurs, Windows logs it as logon type 4. Other job
> scheduling systems, depending on their design, may also generate logon
> events with logon type 4 when starting jobs. Logon type 4 events are
> usually just innocent scheduled tasks startups but a malicious user could
> try to subvert security by trying to guess the password of anaccount
> through scheduled tasks. Such attempts would generate a logon failureevent
> where logon type is 4. But logon failures associated with scheduled tasks
> can also result from an administrator entering the wrong password for theaccountat the time of task creation or from the password of anaccount
> being changed without modifying the scheduled task to use the new password.
>
> Please refer to the following article
>
> http://www.windowsecurity.com/articles/Logon-Types.html
>
> Regarding this situation, I would like to give the following suggestions:
>
> 1.Type 0x2 means "encoded timestamp", so the Authenticator failed. The
> failure might be due to time skew > 5 minutes. Check the time/timezone on
> the client and on all the server to make sure that they are synchronized.
>
> 2.rerun backup configuation wizard.
>
> 3.If issue persists,go to control panel,scheduled tasks,backup small
> business server,change the run as: yourdomainname\administrator,click set
> password,enter domain admin password.
>
> the step means to use domain admin to perform backup job,not default SBS
> Backup user.
>
> 4.If issue still occur,perform a clean boot.
>
> a. Click Start -> Run
> b. Input msconfig and click OK.
> c. Click Service Tab and check Hide all Microsoft Services and click
> Disable All.
> d. Click Startup Tab and click Disable All.
> e. Click OK and reboot the computer and test again.
>
> Please test this issue in the Clean Boot environment
>
> 5. Please enforce the strong password policy and make sure passwords are
> well managed throughout your network.
>
> In addition,please let me know the following information:
>
> 1.Is the server name "server"?
>
> 2.which user did you change the password?please let me know the actual user
> name.
>
> 3.%systemroot%\System32\config\SecEvent.Evt,please compress the file and
> send to me at v-ja...@microsoft.com
>
> Thanks for your time, Please try the suggestions above and let me know the
> results at your earliest convenience. I look forward to hearing from you
> soon.
>
> Have a nice day!
>
> Best regards,
>
> Jacky Luo (MSFT)
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! -www.microsoft.com/security
> ================================================== ==
> PLEASE NOTE: The partner managed newsgroups are provided to
> assist with break/fix issues and simple how to questions.
> We also love to hear your product feedback! Let us know what you think by
> posting
>
> from the web interface: Partner Feedback
> from your newsreader: microsoft.private.directaccess.partnerfeedback.
>
> We look forward to hearing from you!
> ================================================== ==
> When responding to posts, please "Reply to Group" via your newsreader
> so that others may learn and benefit from this issue.
> ================================================== ==
> This posting is provided "AS IS" with no warranties, and confers no rights.
> ================================================== ==

Thanks for the reply.

The information provided regarding the system and account names was
accurate with modifications to prevent system specifics.

The account relevant to the errors is an administrator equiv. used by
Symantec Backup Exec to backup the system- Which happens successfully
and the account 'DOES NOT GET LOCKED OUT'. The only thing is these
account errors are noted. I have logged into the server console using
this account- no problems.

I do have a scheduled task that stops the removable storage manager on
the server every night before the Backup Exec starts (to resolve the
RSM errors that occur if you don't).

This task uses the same Backup exec admin account. I have set the
password for the scheduled task to match the new one for this
account. Let's see- but I believe this may be the source of the
problem.

Thank you..

Hi Geoff,

Thanks for posting back.

As you said,you have set the password for the scheduled task to match the
new one for Backup exec admin account,I think it will work,and without
security error appearing. Please keep an eye on this issue, If you have any
update,please let me know.

the root cause should be you have changed the password of Backup exec admin
account,but you have not set the new password for the scheduled task.

Hope this helps


Have a nice day!

Best regards,

Jacky Luo (MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
================================================== ==
PLEASE NOTE: The partner managed newsgroups are provided to
assist with break/fix issues and simple how to questions.
We also love to hear your product feedback! Let us know what you think by
posting

from the web interface: Partner Feedback
from your newsreader: microsoft.private.directaccess.partnerfeedback.

We look forward to hearing from you!
================================================== ==
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
================================================== ==
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ==