Thank you for posting here.
According to your description, I understand that you received this event
error "Security, 537" in the SBS 2003 Server. If I have misunderstood the
problem, please don't hesitate to let me know.
Based on my research, please kindly check the following information:
1. Firstly, I would like to confirm that the Source Network Addresses "
192.168.1.87, 192.168.1.32, 192.168.1.30" are the IP addresses of the
Windows XP clients that in your network.
Because the Windows XP computer tries to use Kerberos authentication before
using NTLM authentication, the computer tries to contact the SBS 2003
domain controller by using Kerberos. A logon type of 3 translates to
Network. The substatus code: 0xc0000133 translates to
STATUS_TIME_DIFFERENCE_AT_DC. Therefore, according to this information, I
suspect that the client is failing to authenticate to the domain controller
because there is a time difference (greater than 5 minutes) between the two
computers. Thus, the Kerberos authentication fails as it is unable to pass
the time verification.
So, please log into Windows XP client and double check to make sure that
the time, date, and year are the same to that on Windows 2003 domain
controller. Please notice that they may be in different time zone.
Otherwise, you can configure time service on the XP Professional to
synchronize time from the server. By default, the DC is the time server and
it has this service enabled. Refer to the following article.
314054 How to Configure an Authoritative Time Server in Windows XP
In addition, I also suggest you to check if the Time service on SBS 2k3
server is disable. If it is disabled, please also refer to the following
1. Go to the SBS 2003 server, check the time zone setting. Make sure the
time zone setting is correct.
2. Open 'Services' console in 'Administrative Tools'. In the services
console, double-click 'Windows Time'. If the startup type is 'Disabled',
please change it to 'Automatic' and then click 'Start' button to start this
3. Start-->Run-->Type 'regedit' (without the quotation marks) and press
Enter. In the Registry Editor, navigate to the following key:
In the right panel, double-click 'Type'. If the value data is 'NoSync',
change it to 'Nt5DS'. Go to services console, restart the Windows Time
4. After doing the above steps, reboot the client workstations
[192.168.1.87] and then try to logon the domain. If the problem still
occurs, please open a command prompt on the workstation, type 'w32tm
/monitor /computers:localhost' (without the quotation marks) and press
Enter. What's the output?
2. If the issue persists, please kindly refer to the following KB article
to force Kerberos to use TCP instead of UDP, and then check if the issue
can be reproduced.
How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in
Windows XP, and in Windows 2000
3. If the problem still happens, follow the steps in Q262177 to turn on
Kerberos event logging. Restart the computer. If you get one 537 event
logged, please run the MPSReport utility and send the output CAB file to me
at firstname.lastname@example.org. The MPSReport utility is available at:
Related Knowledge Base articles:
262177 HOW TO: Enable Kerberos Event Logging
Overview of the Microsoft Configuration Capture Utility (MPS_REPORTS)
I'm looking forward to hearing from you.
Microsoft Online Newsgroup Support
Get Secure! - www.microsoft.com/security
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
When opening a new thread via the web interface, we recommend you check the
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
This posting is provided "AS IS" with no warranties, and confers no rights.