I am getting error Unknown user name or bad password in security event log for SharePoint web application. We are using admin account for app pool and using NTLM Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 5/1/2012 Time: 9:29:22 AM User: NT AUTHORITY\SYSTEM Computer: MachineName Description: Logon Failure: Reason: Unknown user name or bad password User Name: IUSR_Machinename Domain: Logon Type: 8 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: MachineName Caller User Name: adminaccount Caller Domain: companydomain Caller Logon ID: (0x0,0x1B1C4) Caller Process ID: 3688 Transited Services: - Source Network Address: - Source Port: - I tried run with Admin scripts and i Any help really appreciated. Sharepoint Analyst/Developer Pritesh Dhameliya

Hi PriteshPatel357 The Logon Process Name ADVAPI indicates that API LogonUser/LogonUserEx is called. ADVAPI is the DLL for advanced windows apis and is used in a lot of OS related code. The Logon Type 8 means that a network logon is performed and the password was sent over the network in clear text. So this event means that someone is trying to logon your computer with wrong username and password. Do you ever changed your password and forgot to update it to other computers? You may follow these steps to find out the reason: Find out what Process the id 3688 is You may use WinDBG and attach to the process 3688 Set breakpoint on the API LogonUser entry and dump the Call Stack like this:(you should use public PDB files for DLLs) bp ADVAPI32!LogonUserA "k 100;.time;g" You can find out clue to the logon action by the Call Stack. Such as keyword SMTP_CONNECTION means that someone is login on using SMTP message You may also use TCP tracer(e.g. wireshark) to find out which server is trying to logon. Please refer to these link for more information http://blogs.msdn.com/b/puneetgupta/archive/2007/08/20/unknown-username-or-bad-password-inetinfo-exe-advapi.aspx http://yashcare.blogspot.com/2008/05/solved-account-lockout-issue.html http://blogs.msdn.com/b/spatdsg/archive/2005/12/23/507103.aspx Hope that helps. Thanks, Lambda Zhao TechNet Community Support

it says auth package:negotiate. That is Kerberos. IM not 100% famaliar with these logs but that may be worth checking at least. That would be consistent with your error if you do not have an SPN registered and your web app is failing

Hi Lambda Zhao, This is very useful information. I followed your steps in WinDBG and get error description "CLR exception - code e0434f4d (first chance)". I didn't get solution for this error description. Do you get idea for this error message? Once again thank you for help. Lambda Zhao Wicresoft MSFT CSG 455 Points810 Recent Achievements First Helpful VoteCode Answerer IIForums Answerer II Lambda Zhao's threadsView Profile Sharepoint Analyst/Developer Pritesh Dhameliya

The CLR exception -code e0434f4d just mean that a clr exception was thrown, you should continue the execution. or you can just ignore the first chance exception per this Document. Thanks,Lambda Zhao TechNet Community Support