Kerberos Security Error 537 on log off
Theo
day. The Event logs shows:"Security Event ID 537 - Date - Time and the
number of occurrences that run around 15,000 to 16,000.
The reason is shown as "An error occurred during logon" it identifies the
user (not always the same one) and the domain. Shows the logon type as 3,
logon process and authentication both as Kerberos. The Status codes is
0xC00002EE and the substatus code as 0x0.
This only happens to one user each day but it is not always the same one
although it does not appear to be completely random since only one or two
users appear in the event log.
Any suggestions most welcome.
Theo
Jenny wu [MSFT]
Thank you for your posting.
According to your post, I understand that you found Security logon failure
537 recorded in SBS event viewer. If I am off-base on that, please let me
know.
In the EVENT log, "Logon Type: 3" means that it is a network logon.
"Status code: 0xC00002EE" indicsates a STATUS_UNFINISHED_CONTEXT_DELETED.
It means that a security context was deleted before the context was
completed. This is considered a logon failure.
Based on my experience, there are problems that will generate this error
message:
1. If there is firewall application installed
2. Windows Time is not synchronized.
3. There are applications from client computers trying to logon by
incorrect accounts and password.
I. For Firewall, please check the SBS Server and the client computers from
which the two affected user logs on to make sure that there is no firewall
application installed.
II. For logon by incorrect accounts and password, please open Active
Directory users and Computers or open the Server Management, please let me
know if the affected user account is disabled.
III. For Windows Time issue, I suggest that you do the following:
1. Please go to the workstation which the 537 events complain and run the
following command:
net time
2. Check if the workstation is syncing time with the SBS 2003 server and if
not, run the following command:
net time /setsntp:<SBS_Server_Name>
NOTE: Replace <SBS_Server_Name> with the real server name of the SBS 2003
server.
3. Run the following command and check if the event does not occur
complaining this workstation:
w32tm /resync
In addition, please perform the following steps on your SBS 2003 server:
1. Check the time zone setting. Make sure the time zone setting is correct.
2. Make sure the Windows Time Service's startup is set as 'Automatic'.
3. Start-->Run-->Type 'regedit' (without the quotation marks) and press
Enter. In the Registry Editor, navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
In the right panel, double-click 'Type'. If the value data is 'NoSync',
change it to 'Nt5DS'. Go to services console and restart the Windows Time
service.
4. After doing the above steps, reboot the client workstations and then try
to logon the domain. If the problem still occurs, please open a command
prompt on the workstation the event 537 complains, type 'w32tm /monitor
/computers:localhost' (without the quotation marks) and press Enter. What's
the output?
If the issue persists, please try the following suggestions to
troubleshooting the issue:
Suggestion One:
1. Go to PGARBODEN's computer, click Start -> Run, type MSCONFIG and click
OK.
2. Go to Services tab, click to Hide All Microsoft Services, click the
Disable All button.
3. Go to Startup tab, click the Disable All button.
4. Restart the client computer, check again to see if there are new failure
audit 537 events registered for PGARBODEN.
If the issue still exists, please go to Suggestion two.
Suggestion Two:
1. Start -> Administrative Tools -> Group Policy Management
2. Expand Domains -> Your Domain
3. Right click the Small Business Server Windows Firewall and click Edit
4. Computer configuration>Administrative templates>Network>Network
connections> Windows Firewall> Domain Profile;
5. In "Windows Firewall: Protect all network connections" should be set to
'Disable'
6. Run Gpupdate /force on your XP client
7. Logon and logoff your client and test your issue again.
NOTE: If the Windows XP computer has not SP2 applied, you need to check the
"small business server Internet connection firewall" policy.
If the issue still exists, please go to Suggestion three.
Suggestion Three:
Install the following update on the SBS Server:
898060 Installing security update MS05-019 or Windows Server 2003 Service
Pack http://support.microsoft.com/?id=898060
If the issue still exists after you applied the update Q898060, please go
to Suggestion four.
Suggestion Four:
1. Backup the client's documents.
2. Remove the computer from SBS Domain by right click My Computers, select
Properties, go to Computer Name tab, click Change button, select the option
of Workgroup and input the workgroup name, then click OK to disjoin the
computer to a workgroup.
3. In the Server Management\Client Computers, select the computer account;
click "Remove Computer from Network".
4. Go to Server Management\Users, delete the user account. Create a new
user account with the same account name.
5. Restart the client computer, then join the SBS domain by
http://sbsserver/connectcomputer page.
Then check again to see if the issue is fixed.
====================
If the issue still exists, please do the following:
1. Please save a text copy of the security log:
A. Open Event Viewer: Start -> All Programs -> Administrative Tools ->
Event Viewer.
B. Right-click on Security log and select "Save Log File As?".
2. Please help to collect the Kerberos list from the SBS server. Please
refer to the following command
Klist tickets > c:\klist.txt
Please follow the steps below to collect the information:
A. Install The Microsoft? Windows? Server 2003 Resource Kit Tools on the
SBS server. The Resource Kit Tool can be downloaded from
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=9d46
7a69-57ff-4ae7-96ee-b18c4790cffd
B. Then run the command: Klist tickets > c:\klist.txt command in command
line
3. Please help to collect the Kerberos event log. Please follow below steps
to do:
Use the problematic user account to logon some client PC and run the
command: "set "(no quotation included) in the command line.
Find authentication server in the output information.
C. Collect Kerberos event log in the authentication server. Please follow
the steps to enable Kerberos Event Log:
Enabling Kerberos Event Logging on a Specific Computer
------------------------------------------------------
a. Start Registry Editor.
b. Add the following registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Registry Value:
LogLevel
Value Type:
REG_DWORD
Value Data:
0x1
If the Parameters subkey does not exist, create it.
*Note: Remove this registry value when it is no longer needed so that
performance is not degraded on the computer.
Also, you can remove this registry value to disable Kerberos event logging
on a specific computer.
c. Quit Registry Editor, and then restart the computer.
You can find any Kerberos-related events in the system log.
-------------------------------------------------------
You can refer to the following KB article to get detail info:
262177 How to enable Kerberos event logging
http://support.microsoft.com/?id=262177
Please save all the files to a ZIP file and send it to me for analysis. My
mail address: v-ya...@microsoft.com.
Have a nice day!
Best Regards,
Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: "Theo" <th...@makingitwork.nospam.co.uk>
>Newsgroups: microsoft.public.windows.server.sbs
>Subject: Kerberos Security Error 537 on log off
>Date: Tue, 13 Sep 2005 10:24:13 +0100
>Lines: 14
>Message-ID: <dg65rr$clg$1$830f...@news.demon.co.uk>
>NNTP-Posting-Host: mitw2.demon.co.uk
>X-Trace: news.demon.co.uk 1126603452 12976 80.177.98.243 (13 Sep 2005
09:24:12 GMT)
>X-Complaints-To: ab...@demon.net
>NNTP-Posting-Date: Tue, 13 Sep 2005 09:24:12 +0000 (UTC)
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>X-Priority: 3
>X-RFC2646: Format=Flowed; Original
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>X-MSMail-Priority: Normal
>Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!newsfeed.gamma.ru!Gamma.RU!colt.net!peer-uk.news.demon.net!kibo.news.d
emon.net!news.demon.co.uk!demon!not-for-mail
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:152852
>X-Tomcat-NG: microsoft.public.windows.server.sbs
Theo
I will check out the points you suggest in the next few days and report
back - From your points I suspect its a time issue which had just not
occurred to me but I will check them all.
Thanks
Theo
""Jenny wu [MSFT]"" <v-ya...@online.microsoft.com> wrote in message
news:oaMFvfb...@TK2MSFTNGXA01.phx.gbl...
Jenny Wu (MSFT)
Thanks for your update! I appreciate your time and efforts to perform test.
If you have any further concern on the issue please feel free to let me
know. I am looking forward to your reply and glad to be assistance of you!
Have a nice weekend!
Best Regards,
Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
"Theo" <th...@makingitwork.nospam.co.uk> wrote in message
news:dgba14$lg9$1$8300...@news.demon.co.uk...
Jenny wu [MSFT]
Thanks for your update by mail! Ok, I will wait for you. If there is
anything unclear with my previous reply, please do not hesitate to let me
know. I am always happy to be assistance of you!
Theo
The PC was set to take its time from a different source so I have changed it
to the SBS server but the PC also had a steam of DCOM errors in the system
event log to the effect that it was unable to communicate with another
workstation using any of the configured protocols. On investigation I think
this is due to an HP personal laser installation which is causing one
workstation to try to communicate with the one that has the printer
installed and that perhaps it is this that is causing the Kerberos error.
I'll see what today (first working day after the change to w32tm) shows and
report back.
Regardsnews:jqxlsLl...@TK2MSFTNGXA01.phx.gbl...
Jenny wu [MSFT]
Thanks for your update! I appreciate your time and efforts to the issue. I
am currently standing by for your test result. If you have any further
concern or question on the issue please feel free to let me know and I am
always happy to be of further assistance.
Have a nice day!
Best Regards,
--------------------
>From: "Theo" <th...@makingitwork.nospam.co.uk>
>Newsgroups: microsoft.public.windows.server.sbs
>Subject: Re: Kerberos Security Error 537 on log off
>Date: Mon, 26 Sep 2005 08:55:25 +0100
>Lines: 57
>Message-ID: <dh89hd$2ei$1$8300...@news.demon.co.uk>
>References: <dg65rr$clg$1$830f...@news.demon.co.uk>
<oaMFvfb...@TK2MSFTNGXA01.phx.gbl>
<dgba14$lg9$1$8300...@news.demon.co.uk>
<uoVSBKvu...@TK2MSFTNGP14.phx.gbl>
<jqxlsLl...@TK2MSFTNGXA01.phx.gbl>
>NNTP-Posting-Host: mitw2.demon.co.uk
>X-Trace: news.demon.co.uk 1127721325 2514 80.177.98.243 (26 Sep 2005
07:55:25 GMT)
>X-Complaints-To: ab...@demon.net
>NNTP-Posting-Date: Mon, 26 Sep 2005 07:55:25 +0000 (UTC)
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>X-Priority: 3
>X-RFC2646: Format=Flowed; Original
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>X-MSMail-Priority: Normal
>Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!peer-uk.news.demon.net!kibo.news.demon.net!news.demon.co.uk!demon!not-
for-mail
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:156426
>X-Tomcat-NG: microsoft.public.windows.server.sbs
Theo
Sorry for the delay but I wanted to check the results - correcting the time
and deleting the (wrongly installed) HP personal laser has eliminated the
Kerberos error in respect of one PC. I will be on site on Thursday and make
the same changes to one other PC and that should do it. I will report back
soon.
Regards
Theo
""Jenny wu [MSFT]"" <v-ya...@online.microsoft.com> wrote in message
news:jqxlsLl...@TK2MSFTNGXA01.phx.gbl...
Charles Yang [MSFT]
I am Charles who is the backup for Jenny, currently jenny is leave.
I understand that you need to test on Thursday. I will be here waiting for
your updates.
Thanks for your efforts.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Theo" <th...@makingitwork.nospam.co.uk>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Re: Kerberos Security Error 537 on log off
| Date: Mon, 3 Oct 2005 16:58:13 +0100
| Lines: 57
| Message-ID: <dhrkel$bhm$1$830f...@news.demon.co.uk>
| References: <dg65rr$clg$1$830f...@news.demon.co.uk>
<oaMFvfb...@TK2MSFTNGXA01.phx.gbl>
<dgba14$lg9$1$8300...@news.demon.co.uk>
<uoVSBKvu...@TK2MSFTNGP14.phx.gbl>
<jqxlsLl...@TK2MSFTNGXA01.phx.gbl>
| NNTP-Posting-Host: mitw2.demon.co.uk
| X-Trace: news.demon.co.uk 1128355094 11830 80.177.98.243 (3 Oct 2005
15:58:14 GMT)
| X-Complaints-To: ab...@demon.net
| NNTP-Posting-Date: Mon, 3 Oct 2005 15:58:14 +0000 (UTC)
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| X-Priority: 3
| X-RFC2646: Format=Flowed; Original
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-MSMail-Priority: Normal
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!newshub.sdsu.edu!newsfeed.news2me.com!newsfeed2.easynews.com!newsfeed1
.easynews.com!easynews.com!easynews!news.he.net!xara.net!gxn.net!194.159.246
.34.MISMATCH!peer-uk.news.demon.net!kibo.news.demon.net!news.demon.co.uk!dem
on!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:158252
| X-Tomcat-NG: microsoft.public.windows.server.sbs