Windows Server - Security log errors (Event ID 537)

Asked By bren on 01-Oct-07 01:59 PM
Running SBS 2003 with clients all running Windows XP Pro SP2.  Starting about
a week ago I started receiving critical errors in the Server Performance
Report.  They all follow a similar pattern:
Logon Failure:
Reason:	An error occurred during logon
User Name:
Domain:
Logon Type:	3
Logon Process:	Kerberos
Authentication Package:	Kerberos
Workstation Name:	-
Status code:	0xC000006D
Substatus code:	0xC0000133
Caller User Name:	-
Caller Domain:	-
Caller Logon ID:	-
Caller Process ID:	-
Transited Services:	-
Source Network Address:	192.168.1.87
Source Port:	2363

The source network address and source port will change.

Logon Failure:
Reason:	An error occurred during logon
User Name:
Domain:
Logon Type:	3
Logon Process:	Kerberos
Authentication Package:	Kerberos
Workstation Name:	-
Status code:	0xC000006D
Substatus code:	0xC0000133
Caller User Name:	-
Caller Domain:	-
Caller Logon ID:	-
Caller Process ID:	-
Transited Services:	-
Source Network Address:	192.168.1.32
Source Port:	0

and
Source	Event ID	Last Occurrence	Total Occurrences
Security
537	9/28/2007 5:34 AM	276 *
Logon Failure:
Reason:	An error occurred during logon
User Name:
Domain:
Logon Type:	3
Logon Process:	Kerberos
Authentication Package:	Kerberos
Workstation Name:	-
Status code:	0xC000006D
Substatus code:	0xC0000133
Caller User Name:	-
Caller Domain:	-
Caller Logon ID:	-
Caller Process ID:	-
Transited Services:	-
Source Network Address:	192.168.1.30
Source Port:	3959


Cannot seem to find the cause....

Thanks!




v-mzhua replied on 03-Oct-07 03:09 AM
Hello Brent,

Thank you for posting here.

According to your description, I understand that you received this event
error "Security, 537" in the SBS 2003 Server. If I have misunderstood the
problem, please don't hesitate to let me know.

Based on my research, please kindly check the following information:

1.   Firstly, I would like to confirm that the Source Network Addresses "
192.168.1.87, 192.168.1.32, 192.168.1.30" are the IP addresses of the
Windows XP clients that in your network.

Because the Windows XP computer tries to use Kerberos authentication before
using NTLM authentication, the computer tries to contact the SBS 2003
domain controller by using Kerberos. A logon type of 3 translates to
Network. The substatus code: 0xc0000133 translates to
STATUS_TIME_DIFFERENCE_AT_DC. Therefore, according to this information, I
suspect that the client is failing to authenticate to the domain controller
because there is a time difference (greater than 5 minutes) between the two
computers. Thus, the Kerberos authentication fails as it is unable to pass
the time verification.

So, please log into Windows XP client and double check to make sure that
the time, date, and year are the same to that on Windows 2003 domain
controller. Please notice that they may be in different time zone.
Otherwise, you can configure time service on the XP Professional to
synchronize time from the server. By default, the DC is the time server and
it has this service enabled. Refer to the following article.

314054 How to Configure an Authoritative Time Server in Windows XP
http://support.microsoft.com/?id=314054

In addition, I also suggest you to check if the Time service on SBS 2k3
server is disable. If it is disabled, please also refer to the following
information:

1. Go to the SBS 2003 server, check the time zone setting. Make sure the
time zone setting is correct.

2. Open 'Services' console in 'Administrative Tools'. In the services
console, double-click 'Windows Time'. If the startup type is 'Disabled',
please change it to 'Automatic' and then click 'Start' button to start this
service.

3. Start-->Run-->Type 'regedit' (without the quotation marks) and press
Enter. In the Registry Editor, navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

In the right panel, double-click 'Type'. If the value data is 'NoSync',
change it to 'Nt5DS'. Go to services console, restart the Windows Time
service.

4. After doing the above steps, reboot the client workstations
[192.168.1.87] and then try to logon the domain. If the problem still
occurs, please open a command prompt on the workstation, type 'w32tm
/monitor /computers:localhost' (without the quotation marks) and press
Enter. What's the output?

2.   If the issue persists, please kindly refer to the following KB article
to force Kerberos to use TCP instead of UDP, and then check if the issue
can be reproduced.

How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in
Windows XP, and in Windows 2000
http://support.microsoft.com/?id=244474

3.   If the problem still happens, follow the steps in Q262177 to turn on
Kerberos event logging. Restart the computer. If you get one 537 event
logged, please run the MPSReport utility and send the output CAB file to me
at v-mzhuan@microsoft.com. The MPSReport utility is available at:

http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
15706/MPSRPT_DirSvc.EXE

Related Knowledge Base articles:

262177 HOW TO: Enable Kerberos Event Logging
http://support.microsoft.com/?id=262177

Overview of the Microsoft Configuration Capture Utility (MPS_REPORTS)
http://support.microsoft.com/?id=818742

I'm looking forward to hearing from you.

Best regards,

Manfred Zhuang(MSFT)
Microsoft Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
about