Hi There, I am having a bit of an unusual pattern in security authentications. My SCVMM server is having MULTIPLE users authenticating against it at obscure times of the night. They log on and log of with in seconds It seems to be the same 4 users every day. The Kerberos is telling me it is coming from the server directly but these users have no requirement to be logging on to this server at all especially at the time it is recording the authentications. I have thought it may be a shared resource or mapped drive refreshing its connection etc. but there is nothing on this system except for the VM management software. The PID associated with the authentications has also changed. At one stage they were coming from the SVCHOST and more recently have been coming from the VMMSERVICE process. I have attempted to use Microsoft Network Monitor to capture where the authentications are coming from but it doesn't capture these authentications. Therefore they are coming from this server. Can anyone shed any light onto why this is happening and what i can do to Troubleshoot/isolate what why and where this is coming from... Stay Kewl Play Safe, KAVO

Hi, Whats the version of your server? If its Windows Server 2003, please try the following hotfix for troubleshooting. Kerberos Event ID: 529 is logged when you use a local user account to verify security access or group membership on a Windows Server 2003-based Kerberos client http://support.microsoft.com/kb/890477 Security Event 529 is logged for local user accounts http://support.microsoft.com/kb/811082 If not, this kind of issue may be caused by schedule tasks which impersonate the user or malicious software/users. Please help to collect the following information for research. 1. When did the issue start to occur? 2. Are the users regular users of your server? 3. MPS Report for research. A. Download MPS Reporting Tool (MPSRPT_PFE.EXE) from the following link: (http://www.microsoft.com/downloads/details.aspx?FamilyID=00ad0eac-720f-4441-9ef6-ea9f657b5c2f&DisplayLang=en) Please note: The link may be truncated when you read the E-mail. Be sure to include all text between '(' and ')' when navigating to the download location. B . Right click MPSRPT_PFE.EXE and select Run as Administrator to run this tool, and you will see a Command Window start up. C . Please type Y with the message of <Include the MSINFO32 report? (defaults to Y in 15 seconds)[Y,N]? D . When the tool is done you will see an Explorer Window opening up the %systemroot%\MPSReports\Setup\Reports\cab folder and containing a <Computername>MPSReports.cab file. After collecting, please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give me the download address. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Sorry Mervyn, I have just verified the information i originally gave you. The EVENT ID's are actually 538 & 540 There was 2 instances when i first started investigating this problem where there were 529 and 530. Please let me know if your troubleshooting steps still apply to the problem. KAVO

Hi, If the event ID are 538 and 540, they may be caused by third party software, such as Antivirus software, Firewall. Lets test in Clean Boot. 1. Click Start, type "msconfig", press Enter. 2. Switch to Services tab, click Hide all Microsoft services, click Disable all. 3. Switch to Startup tab, click Disable All. Click OK. Restart the server and test. If the events appear again, please help to collect MPS Report for research. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.