Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
Authentication attempt (AUTH LOGIN) from <remote SMTP server name> as <user name> failed: LogonUser() call failed with error: Logon failure: unknown user name or bad password.
|English: Request a translation of the event description in plain English.|
|Concepts to understand:|
What is the role of the Microsoft Exchange Internet Mail Connector service?
What is an authentication protocol?
See ME200788 for information about this event.
Tor M Iversen
I have seen this event occuring when the IMC has been under attack from hackers trying to log on to the system through the IMC.
From a newsgroup post: "What it means is that some misconfigured ESMTP server sees the "AUTH LOGIN" and tries to AUTH to your server (thinking that they have a password to every server in the world, no doubt). Since they don't have a valid user name/password in your system, the attempt fails and is recorded in the Applications log.
Send an e-mail to the postmaster of the remote server (domain) and ask him to please stop trying to authenticate with your server. You haven't given him a
user/password to use so his attempts are pointless. This is a common problem with the Netscape server. It's caused by a poor choice of defaults in the configurations and a naive admin. The Netscape server sees the AUTH=LOGIN in the list of ESMTP keywords and thinks it should try to login (using what user and password is anyone's guess)."
The fix for this is to make sure the Exchange service account has the "act as part of the operating system" right. Also make sure that you don't have a domain group security policy overiding the local policy for this right. You will need to stop and restart the Internet Mail Service after correcting this problem.
|Private comment: Subscribers only. See example of private comment|
|Links: ME200788, ME235627|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated