Windows Server - Event ID 537- NTLM logon errors on SBS 2003

Asked By Simon on 06-Nov-09 04:16 AM
Hi,

I get hundereds of event ID 537 during daytime in the security log of our
SBS Server 2003 (german version) with the statuscode 0x80090308 and
substatuscode 0x0. A search with google gave me some hints, that this
problem could be related to Trend Micro Worry Free Business Security 6.0.
The solutions provided did not helpyet. I did a fresh install of the trend
WFBS 6.0 last weekend without success. Could you please help me, how I could
pinpoint the workstation and the service causing the problem? The eventlog
does not show which workstation or service is causing the faild login. I am
even not shure if Trend Micro is the real problem.

Virus should not be the source of the problem. We did a scan of every
workstations with third party antivirus software, just to exclude it. The
problem starts during daytime, when the employees start to work and ends in
the evening. So I concluded the problem might be a workstation. The error
repeats itself every few minutes in bursts of say 5 to 6 attempts. This
gives me about 7'000 entries in the security log a day.

Any hints how to pinpoint the culprit workstation an service will be highly
appreciated

Regards
Simon



Ereignistyp: Fehlerüberw.
Ereignisquelle: Security
Ereigniskategorie: An-/Abmeldung
Ereigniskennung: 537
Datum:  06.11.2009
Zeit:  08:27:49
Benutzer:  NT-AUTORITÄT\SYSTEM
Computer: SERVER
Beschreibung:
Fehlgeschlagene Anmeldung:
Grund:  Während der Anmeldung ist ein Fehler aufgetreten.
Benutzername:
Domäne:
Anmeldetyp: 3
Anmeldevorgang: 
Authentifizierungspaket: NTLM
Name der Arbeitsstation:
Statuscode: 0x80090308
Substatuscode: 0x0
Aufruferbenutzername: -
Aufruferdomäne: -
Aufruferanmeldekennung: -
Aufruferprozesskennung: -
Übertragene Dienste: -
Quellnetzwerkadresse: -
Quellport: -


Weitere Informationen über die Hilfe- und Supportdienste erhalten Sie unter
http://go.microsoft.com/fwlink/events.asp.




v-robme replied on 09-Nov-09 04:03 AM
Hello Simon,

Thanks for your post.

Based on research of the error messages, this issue may caused by many factors such as duplicate clients NetBIOS names or 3rd party application improper logon etc. I suggest we try the following
methods to try to narrow down the issue:

First of all, please let me know:

1. When did the issue begin to occur? Have you installed or configured any software/hardware recently that may caused this issue?
2. Did it occur when SBS server logging on Windows system or occur when you run certain program?
3. Have you tried re-run the CEICW wizard on the SBS server? If not, please have a try and let me know if there is any error.

I would like you temporarily disable all Trend Micro programs and related services for test purpose. Thanks for your understanding. Meanwhile, please
have a look at the following link and you may consider contacting Trend Micro to see whether they have any solutions available. Thanks.

SBS - Event ID 537 NTLM Logon Errors - 0x80090308 and Trend
http://blog.mpecsinc.ca/2008/10/sbs-event-id-537-ntlm-logon-errors.html

Also, the HP monitoring software may also caused this Event 537 error, please check if you have them installed on the SBS server.


If the issue still occurs, let us try a Clean Boot to see if the issue persists in Clean Boot mode.

A Clean Boot will allow us to isolate any device drivers or programs that are loading at startup that may be causing a conflict with other device drivers or
programs that are installed in your computer.

1) Run MSCONFIG.EXE. (MSCONFIG is a built-in tool for Windows XP\2003 systems.)
2) In the Services tab, click "Hide All Microsoft Services" and click "Disable All".
3) In the Startup tab, click "Disable All". Click OK. (This will temporarily prevent third-party programs from running automatically during start-up.)
4) Restart the computer. Does the problem still persist now?

Please test this issue in the Clean Boot environment, if the issue disappears in the Clean Boot environment, we can use a 50/50 approach to quickly
narrow down which entry is causing the issue.

If we cannot resolve the issue after we perform the above steps, please help me collect some information for further investigation:

Information Need
==============
MPS report for Network:

1. Please download a tool from the following link:
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd915706/MPSRPT_NETWORK.EXE

2. Double-click the downloaded EXE file to collect the MPS report.
3. Please send the generated CAB file to me at: v-robbmen@microsoft.com .

More information:
http://www.winvistatips.com/re-event-id-537-security-log-sbs-2003-r2-t672267.html


Hope this helps. Also, if you have any questions or concerns, please do not hesitate to let me know.



Best regards,
Robbin Meng(MSFT)
Microsoft Online Newsgroup Support

==================================================================
Please post your SBS 2008 related questions to the SBS newsgroup on Connect website:
https://connect.microsoft.com/sbs08/community/discussion/richui/default.aspx

Please post your EBS related questions to the EBS newsgroup on Connect website:
https://connect.microsoft.com/ebs08/community/discussion/richui/default.aspx

If you want to use a newsreader other than a web forum to access these newsgroups,
please refer to the following blog to apply NNTP password and configure a newsreader:
http://msmvps.com/blogs/bradley/archive/2008/11/02/signing-up-for-the-sbs-2008-newsgroups.aspx
==================================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
==================================================================