Critical Errors in Security Log

Waj

unread,

Sep 15, 2005, 9:21:02 AM9/15/05

to

Hi

After Installing Service Pack 1 on SBS 2003 Server I am getting the
following System error among others in the event viewer :

There were password errors using the Credential Manager. To remedy, launch
the Stored User Names and Passwords control panel applet, and reenter the
password for the credential INSTANTSEARCH\wajid.

I think this is related to the following entry in the security log:
Security 537 9/15/2005 08:59 9 *
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.0.0.33
Source Port: 4842

Please can you help to resolve this error.

--
Thanks.
Waj Shah

Charles

unread,

Sep 16, 2005, 1:05:37 AM9/16/05

to

Hi Waj,

Welcome to SBS newsgroup.

According to your post, I understand that you are receiving EVENT ID 537 log
and after you enabled the Kerberos logging, you got Kerberos event message.
If I am off-base please let me know.

Generally speaking, status code 0xC000006D means "STATUS_LOGON_FAILURE the
attempted logon is invalid. This is either due to bad username or
authentication information" status code 0xC0000133 means
STATUS_TIME_DIFFERENCE_AT_DC. The problem could be caused because there is a
time difference (greater than 5 minutes) between the two computers. Can you
logon the domain from this workstation or can you access the network sharing
from this workstation? Please go to the workstations and check the time
settings. If you can successfully logon to the domain from the workstations
and access the network resources, you can ignore this 537 event message.

As your convenience, I would like to suggest you go to the SBS 2003 server
and check the time service status. Open ''Services; console in
''Administrative Tools''. Double-click ''Windows Time'' service. If the time
service is disabled, please follow the steps below to start the services:

1. Open Services console in '''Administrative Tools''.

2. Double-click Windows Time service. Change the startup type from
Disable to Automatic.

3. Open Registry editor (regedit); navigate to the following registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\

Double-click ''''Type'''' value in the right panel. Change the value data
from NoSync to NT5DS

4. Go to the service console, double-click the Windows Time service
and click ''Start'' button to start the service.

5. Check the settings on the firewall. (router or ISA firewall) Make
sure that outgoing UDP 123 port request is allowed. The SBS server will use
this port to synchronize the time with an external time source (on the
Internet).

6. This problem can also occur if the Time service is not started on
the client computers or the clients are pointing to the wrong time server
for sync. By default, it should be the SBS 2K3 server.

For a Windows XP computer, you should run the following at a command prompt:

w32tm /monitor /computers:localhost

ex. C:\>w32tm /monitor /computers:localhost

localhost [127.0.0.1]:

ICMP: 0ms delay.

NTP: +0.0000000s offset from local clock

RefID: ntdev-dc-10.ntdev.microsoft.com [x.x.x.x]

The computer returned on the RefID line is the time server with whom the
client is synchronizing its time.

For a Windows 2000 computer you should run the following at a command
prompt:

w32tm -v -once at a command prompt.

ex. C:\> w32tm -v -once

In the output, search for the following lines:

BEGIN: GetSocketForSynch

NTP: ntpptrs [0] - <ip address>

PORT pinging to -123

Connecting to "\\<fqdn>" (ip address)

The "Connecting to" line gives you fully qualified domain name and ip
address of the SBS server that is providing time synchronization. It also
provides the port (123) that the Windows Time Service is utilizing.

More info:

314054 How to Configure an Authoritative Time Server in Windows XP

http://support.microsoft.com/?id=314054

Hope the above information helpful, if you have any further concerns, please
let me know. I am glad to be any further updates.

Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

"Waj" <W...@discussions.microsoft.com> wrote in message
news:94A16F40-04E8-498A...@microsoft.com...

Waj

unread,

Sep 16, 2005, 5:28:08 AM9/16/05

to

Hi Charles.

thanks for your instructions- I have followed your steps upto step 3.
However when I try to start the Windows Time Service from the service console
I am getting the following error window:

"Could not start the Windows Time Service on Local Computer. ERROR 1792: An
attempt was made to logon, but the network logon service was not startde."

Regards
Waj Shah

Charles Yang [MSFT]

unread,

Sep 18, 2005, 8:31:14 PM9/18/05

to

Hi Waj,

Thanks for updates.

Personally, this issue is by design. The account to start the Windows Time
service is "localsystem" before you installing win2k3 SP1, however, win2k3
SP1 has change the start up account to "local service" for the security
reason. Local Service account has not been granted "Change the system time"
permissions. Windows Server 2003 SP1 changes the startup configuration of
the Windows Time service from LocalSystem to LocalService. Therefore, the
startup account that the Windows Time service uses must have "Change the
system time" permissions.

By default, the LocalService account is not a member of the Administrators
group and does not have "Change the system time" permissions. Therefore,
the Windows Time service does not start, and event 7023 is logged in the
System log. More details is addressed in the article below:

The Windows Time service may generate event ID 7023 after you upgrade to
Windows Server 2003 Service Pack 1
http://support.microsoft.com/?kbid=892501&SD=tech

With regards to the commend-line to view the account permission, I suggest
you take a look at the command-line called svcacls, which can grant user
rights to start and stop individual services. I exact the following usage
information from the Help information of svcacls:

Usage Examples
==============
svcacls (gives help)

svcacls browser (lists permissions on the browser service
on the local machine)

svcacls \\computername\browser (list permissions on the browser service on
machine computername)

svcacls browser g:username:rx (grants the Read and Execute permissions
for user username on the browser service, adding to the user's current
permissions)

svcacls browser s:username:rx (sets permissions for user username to Read
and Execute on the browser service, replacing the user's current
permissions)

svcacls browser r:username (revokes user username's permissions on the
browser service on the local machine)

svcacls browser d:username (explicitly denies access to user username
on the browser service)

You can use generic permissions (R, W, X, F) or specific permissions.

You can chain several commands on one line:

svcacls browser r:username g:username:riu

For more details, please refer to the following article:

325349 HOW TO: Grant Users Rights to Manage Services in Windows Server 2003
http://support.microsoft.com/?id=325349

Hope the above information helpful, if you have any further concerns,

please feel free to let me know. I will be here waiting for your updates.

Best regards,

Charles Yang (MSFT)

Get Secure! - www.microsoft.com/security

Waj

unread,

Sep 22, 2005, 8:41:03 AM9/22/05

to

Hi Charles.

The w32Time issue has been resolved, thanks for your help.

There is another problem in the Event viewer as follows:

In the Application log there is the following Error:
Source: Userenv
Event: 1030
"Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this."

which I think are in relation to the following entries in the System event
Log:
Source:LsaSrv
Category:SPNEGO(Negotiator)
Event:40960
"The Security System detected an authentication error for the server
ldap/bruce.InstantSearch.local/InstantSe...@InstantSearch.local. The
failure code from authentication protocol Kerberos was "The attempted logon
is invalid. This is either due to a bad username or authentication
information.
(0xc000006d)"."

Also the following
Source: Kerberos
Event:14

"There were password errors using the Credential Manager. To remedy, launch
the Stored User Names and Passwords control panel applet, and reenter the
password for the credential INSTANTSEARCH\wajid."

Can you help?
--
Thanks.
Waj Shah

Charles Yang [MSFT]

unread,

Sep 22, 2005, 7:54:54 PM9/22/05

to

HI Waj,

Thanks for letting us know that my solution works for one of the problem.
The error 1030 is the group policy is not successfully applied, if only
1030 error occurs, you do not need to worry about that, it relate to cache
credential on your computer, you can refer to my steps below to clean it,
this does not relate to 40690 error:

I. You can configure this security setting by opening the appropriate
policy and expanding the console tree as such: Computer
Configuration\Windows Settings\Security Settings\Local Policies\Security
Options Network access:

Do not allow storage of credentials or .NET Passports for network
authentication

II. Following Registry value removes the "Remember My Password" option from
all prompts for authentication:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Value Name: disabledomaincreds
Value Type: REG_DWORD
Values: 0 = allow domain credentials to be stored
1 = do not store domain credentials
Set the disabledomaincreds value to "0" to restore the "Remember My
Password" checkbox on the prompt for authentication.

III. Set Kerberos to use TCP

244474 How to force Kerberos to use TCP instead of UDP in Windows Server
2003,
http://support.microsoft.com/?id=244474

The steps #1 and #2 I introduced in my last reply are all used to delete
the store credential. The step #1 could be applied to group policy that
cover the SBS server such as domain controller policy and you will find the
policy below

Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\Network access: Do not allow storage of
credentials or .NET Passports for network authentication

The step #2 is used registry key way. The "0" is the default value. When
you set this key to 1, to purge the original credential to clear the store
and restart the machine.

If you do not want the above steps, you could use the following way to
delete the cached credential directly.

1. On the SBS server open control panel

2. Open 'Stored User Names and Passwords'

3. Remove all entries in the list, as the problem could be caused by the
incorrect credential cached here.

If the problem could not be resolved, we may need to set the Kerberos to
TCP only, because of the following reasons.

The Windows Kerberos authentication package is the default authentication
package in Microsoft Windows Server 2003. By default, the maximum size of
datagram packets for which Windows Server 2003 uses UDP is 1,465 bytes.
Depending on a variety of factors including security identifier (SID)
history and group membership, some accounts will have larger Kerberos
authentication packet sizes. Depending on hardware of your SBS network,
these larger packets may have to be fragmented when going through. The
problem is caused by fragmentation of these large UDP Kerberos packets.
Because UDP is a connectionless protocol, fragmented UDP packets will be
dropped if they arrive at the destination out of order.

Then, this issue could be occur that you logon to the SBS server remotely,
and the UDP package is dropped at this situation. So, we could set the
Kerberos to use TCP only, as Kerberos is designed to work under both UDP
and TCP.

For the error, you could not edit group policy, it should relate to
updates, you have not applied, please refer to my suggestion below: (This
should be the article that refer to your issue)

839499 You cannot open file shares or Group Policy snap-ins when you disable
http://support.microsoft.com/?id=839499

Hope the above information helpful. I am glad to help you.

Best regards,

Charles Yang (MSFT)

Get Secure! - www.microsoft.com/security

| thread-index: AcW/cuTdSFDHrQRXQlGztA2gmnb8Rw==

| X-WBNR-Posting-Host: 82.68.131.206
| From: =?Utf-8?B?V2Fq?= <W...@discussions.microsoft.com>
| References: <94A16F40-04E8-498A...@microsoft.com>
<#UOvIxnu...@TK2MSFTNGP12.phx.gbl>

<D02FD55E-E00C-4628...@microsoft.com>
<murayFL...@TK2MSFTNGXA01.phx.gbl>

| Subject: Re: Critical Errors in Security Log

| Date: Thu, 22 Sep 2005 05:41:03 -0700
| Lines: 341
| Message-ID: <9D470D02-5FC4-4DFB...@microsoft.com>

| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155546
| X-Tomcat-NG: microsoft.public.windows.server.sbs

Waj

unread,

Sep 23, 2005, 7:33:03 AM9/23/05

to

Hi Charles.

Thanks for your help. The errors have been resolved by deleting the cached
credential directly.

Charles Yang [MSFT]

unread,

Sep 25, 2005, 7:46:15 PM9/25/05

to

HI Waj,

Thanks for updates.

I am glad to hear that you have resolved the problem by follow up my
suggestions. Please feel free here.

Have a nice day!

Best regards,

Charles Yang (MSFT)

Get Secure! - www.microsoft.com/security

| thread-index: AcXAMo8kBl7ZJxxuQHiCleTB1wcBMg==

| X-WBNR-Posting-Host: 82.68.131.206
| From: =?Utf-8?B?V2Fq?= <W...@discussions.microsoft.com>
| References: <94A16F40-04E8-498A...@microsoft.com>
<#UOvIxnu...@TK2MSFTNGP12.phx.gbl>
<D02FD55E-E00C-4628...@microsoft.com>
<murayFL...@TK2MSFTNGXA01.phx.gbl>

<9D470D02-5FC4-4DFB...@microsoft.com>
<UahEME9...@TK2MSFTNGXA01.phx.gbl>

| Subject: Re: Critical Errors in Security Log

| Date: Fri, 23 Sep 2005 04:33:03 -0700
| Lines: 311
| Message-ID: <11C21796-ECBA-4ACF...@microsoft.com>

| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155861
| X-Tomcat-NG: microsoft.public.windows.server.sbs