Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 100 Source: W3SVC

The server was unable to logon the Windows NT account '<user name>' due to the following error: <error description>. The data is the error code.
Typically, this event is generated either because the user provides the wrong userid (or the wrong syntax for the domain/user) or the user was not granted the required rights for that type of logon, like "Log on locally" for Web Outlook users.

ME326985 provides information on troubleshooting IIS (and between other this kind of error).

Most common error: "Logon failure: unknown user name or bad password". We have seen this message quite often on public sites that run Microsoft IIS having NTLM Authentication enabled. When an anonymous users connects with Internet Explorer, the browser will try to provide the user's credentials (to authenticate via NTLM). Naturally, the credentials won't match the local accounts so the login would fail generating this error message.

Error: "Unknown username or bad password" and ""The security database contains an internal inconsistency" See ME272206 - This behavior can occur if the Windows NT user account that is configured for Anonymous Logon for the WWW Service is invalid or does not have the right to log on locally to the PDC.

Error" "Unknown user name or bad password." - As per ME170863, this may occur if you delete the Anonymous user account (IUSER_<server name>).

Error: "Logon failure: unknown user name or bad password" - applicable to the Microsoft Mobile Information 2001 Server, could occur if the password for the wireless account has expired, or the User must change password at next logon option is enabled. See ME298190.
- Error: "The referenced account is currently locked out and may not be logged on to" - See ME922730.
- Error: "Logon failure: the user has not been granted the requested logon type at this computer" - You see this error if 'IUSR_Computer' account is disabled. You also see this error, if 'GUESTS' group is disabled on WSUS Server. See ME555457 to solve this problem.
I have explained in detail this problem in article ME555457. Most of the times, it is due to log on failures resulting into account lockouts. Event description gives details about the account and failure reason.
In my case, the ME316685 article helped me solved the problem.
In our case, we denied local login to the Guest group, which contains the IUSR account. Once the IUSR account was taken out of this group, things started working.

ME276157 helped me a lot in troubleshooting this problem.
ME318932 can help with this problem.
This behavior can occur if the Windows NT user account that is configured for “Anonymous Logon” for the WWW Service is invalid or does not have the right to log on locally to the PDC. To resolve this behavior, replace the user account that is configured for “Anonymous Logon” in the WWW Service with a valid Windows NT account that has the right to log on locally to the PDC.
As per Microsoft: "The IUSR_computer and IWAM_computer accounts must be turned on for IIS to function correctly". See ME321448 for more details.

See ME267906 for information on how to set up OWA for UPN logon names.
I had the same problem generated by OWA. I’ve solved the problem disabling the "Anonymous" access to Exchange Virtual Directory.
Error: “This attempt failed with error 0x52e (ERROR_LOGON_FAILURE)” – This indicates that the credentials that were supplied do not have sufficient access rights for connecting to the domain controller. To investigate the problem of failing to find a domain controller, run an equivalent command from the command prompt to confirm the preceding analysis: ”net use \\dcname\ipc$ /u:<domain\user> <password>”
Note. You need to perform the net use if you failed to connect to the domain controller. If you failed to find the domain controller, you should perform: “nltest /dsgetdc” to try to locate the domain controller. If this fails with the same error, a network monitor sniffer trace of the join operation would be helpful in diagnosing the failure. If you receive the error "Failure to create a computer account”, it usually means that either the account already exists or that there are insufficient access rights available to the user who is trying to join.

Check the following Microsoft Knowledge Base Articles for more details: ME253204, ME170863 and ME259534.
The key is to interpret all the data you have. In this case the error code. Choose "Data: Words" in the event and copy the hex number. Then launch the Windows Calculator, change the view to Scientific, switch to Hex and paste the hex number. Switch to Dec to convert it to decimal and Ctrl-C to copy the result. Then use "net helpmsg <paste the code>" at the command line and you will obtain the real reason. Please note that the command "net helpmsg <error code>" returns only network related error numbers translations.
UPN does not work in the default configuration of OWA. The syntax domain\username is required.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.