Hi, I have a question regarding the security log events (529, 680, etc.) generated during RPC (remote registry) calls in spite of an existing valid NTLM session. I am running a process (in the context of User A - a local account on System1) which uses WNetAddConnection2 to set up a session with alternate credentials (User B) on a remote computer (System2). User B is a valid user on System2. I then make a calls to RegConnectRegistry/PDH functions which causes failure audit events 529 and 680 in the security logs of System2 (shown below). The registry and PDH calls though, succeed (due to the presence of the already established valid NTLM session) There are success audit events 540 and 576 for the UserB after the failure events. Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 30-06-2009 Time: 4:48:59 PM User: NT AUTHORITY\SYSTEM Computer: System2 Description: Logon Failure: Reason: Unknown user name or bad password User Name: UserA Domain: System1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: System1 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. -------------------------------------------------------------------------------------------------------------------------------------------------------------------- Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 680 Date: 30-06-2009 Time: 4:48:59 PM User: NT AUTHORITY\SYSTEM Computer: System2 Description: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: UserA Source Workstation: System1 Error Code: 0xC000006A For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. -------------------------------------------------------------------------------------------------------------------------------------------------------------------- The events are not logged when System1 is WinXP. I see this happening when System1 is a Win2K3 server (SP1 or SP2) I would like to understand what is actually happening under the hood, what is causing the security failure audits to be generated, why a logon using UserA is attempted in spite of a valid existing UserB session and why this is seen on particular OS only. What I am guessing so far... The RPC call is always made using the security context of the current process. Then the security token obtained from the NTLM session is used - as there cannot be more than one simultaneous session. Answers, comments, pointers - as well as criticism, as this is my first post - are welcome. Thanking you in advance, FQ

Hi, The following article may provide some related information. Error message when you try to make a remote connection to the registry of a Windows-based computer from a Windows Server 2003 SP1-based computer: "Access denied" http://support.microsoft.com/kb/913327 However, the RegConnectRegistry problem is more a development issue; I suggest that you initial a new post in the MSDN form to get further support there. They are the best resource for development related problems. For your convenience, I have list the link as followed. MSDN Forum http://forums.microsoft.com/MSDN/default.aspx?SiteID=1 Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for your reply, I have been through the article you mentioned. But this does not adequately match my problem. I do not get any "Access denied" errors; rather it works fine for me, except for the security audit log entries suggesting otherwise. As per your advice, I have initiated a new discussion on the suggested MSDN forum at http://social.msdn.microsoft.com/Forums/en-US/etw/thread/0eb244e4-1cbb-4425-bae9-75d37534ae40 Thanks once again for pointing me in the right direction.