Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 3 Source: IAS

Source
Level
Description
Access request for user <user id> was discarded.
Fully-Qualified-User-Name = <domain>\<user>
NAS-IP-Address = <ip addres>
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = <name>
Client-IP-Address = <ip addres>
NAS-Port-Type = Virtual
NAS-Port = 2221
Reason-Code = <error code>
Reason = <description>
Comments
 
- Reason code: 5 - See ME946813 for a hotfix applicable to Microsoft Windows Server 2003.
- Reason code: 2 - This behavior will occur if the Windows 2000 IAS server authenticates to a Windows NT 4.0 member RAS or RRAS server in your domain, or a trusted Windows 2000 domain, or the Windows 2000 IAS server authenticates to Windows 2000 remote access server in a Windows NT 4.0 domain that accesses user accounts in a trusted Windows 2000 domain. See "JSI Tip 8721" to solve this problem.
Reason code: 2 - Verify that the server is part of the RAS and IAS security group in Active Directory. If not, register the computer in Active Directory. IAS needs this in order to read AD users dial in properties. To register the computer, choose "Register service in active directory" from IAS MMC pop up menu on the top node.
On the server where the error occurs, make sure that “Enable NetBIOS over TCP/IP” (Advanced TCP/IP settings/WINS tab) is selected for that network card. Make sure you can resolve the name provided in the error.
You can also test the LDAP connection using “portqry -n servername.domain.com -p udp -e 389”. PortQry can be found in the Support Tools. In my case, this problem was caused by a faulty LDAP connection.

ME832919 has information on PortQry.
- Reason code: 80, reason: "The authentication or accounting record could not be written to the log file location. Ensure that the log file location is accessible, has available space, can be written to, and that the directory or SQL server name is valid" - I was getting this error when using IAS to auth VPN clients. The IAS log was showing the clients being granted access, however, the clients were being denied from somewhere. I ended up removing the SQL server logging I was using and just used the local file logging method. That resolved the issue and clients were able to connect.
See ME883659 for a hotfix applicable to Microsoft Windows Server 2003.

See ME888202 to resolve this problem in Microsoft Windows 2000.


Reason code: 5, Reason: The user's account domain is not accessible. - It may occur when the domain controller for the domain listed in the event description is not available or network connectivity problems may stop the authentication server from reaching the domain controller.

Reason code: 4, Reason: The service could not access the Active Directory Global Catalog. - May indicate network connectivity problems between the authentication server and the server holding the Global Catalog role. It could also be that the Global Catalog server is down.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...