Unknown user name or bad password for IUSR_machinename
I am getting error Unknown user name or bad password in security event log for SharePoint web application. We are using admin account for app pool and using NTLM
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/1/2012
Time: 9:29:22 AM
User: NT AUTHORITY\SYSTEM
Computer: MachineName
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: IUSR_Machinename
Domain:
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: MachineName
Caller User Name: adminaccount
Caller Domain: companydomain
Caller Logon ID: (0x0,0x1B1C4)
Caller Process ID: 3688
Transited Services: -
Source Network Address: -
Source Port: -
I tried run with Admin scripts and i
Any help really appreciated.
Sharepoint Analyst/Developer Pritesh Dhameliya
May 1st, 2012 10:29am
Hi PriteshPatel357
The Logon Process Name ADVAPI indicates that API LogonUser/LogonUserEx is called. ADVAPI is the DLL for advanced windows apis and is used in a lot of OS related code.
The Logon Type 8 means that a network logon is performed and the password was sent over the network in clear text.
So this event means that someone is trying to logon your computer with wrong username and password. Do you ever changed your password and forgot to update it to other computers?
You may follow these steps to find out the reason:
Find out what Process the id 3688 is You may use WinDBG and attach to the process 3688 Set breakpoint on the API LogonUser entry and dump the Call Stack like this:(you should use public PDB files for DLLs)
bp ADVAPI32!LogonUserA "k 100;.time;g"
You can find out clue to the logon action by the Call Stack. Such as keyword SMTP_CONNECTION means that someone is login on using SMTP message
You may also use TCP tracer(e.g. wireshark) to find out which server is trying to logon.
Please refer to these link for more information
http://blogs.msdn.com/b/puneetgupta/archive/2007/08/20/unknown-username-or-bad-password-inetinfo-exe-advapi.aspx
http://yashcare.blogspot.com/2008/05/solved-account-lockout-issue.html
http://blogs.msdn.com/b/spatdsg/archive/2005/12/23/507103.aspx
Hope that helps.
Thanks,
Lambda Zhao
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 1st, 2012 11:08pm
it says auth package:negotiate. That is Kerberos. IM not 100% famaliar with these logs but that may be worth checking at least. That would be consistent with your error if you do not have an SPN registered and your web app is failing
May 1st, 2012 11:12pm
Hi Lambda Zhao,
This is very useful information.
I followed your steps in WinDBG and get error description "CLR exception - code e0434f4d (first chance)". I didn't get solution for this error description.
Do you get idea for this error message? Once again thank you for help.
Lambda Zhao
Wicresoft
MSFT CSG
455 Points810
Recent Achievements
First Helpful VoteCode Answerer IIForums Answerer II
Lambda Zhao's threadsView
Profile
Sharepoint Analyst/Developer Pritesh Dhameliya
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 11:12am
The CLR exception -code e0434f4d just mean that a clr exception was thrown, you should continue the execution. or you can just ignore the first chance exception per this Document.
Thanks,Lambda Zhao
TechNet Community Support
May 4th, 2012 5:08am