This event record indicates that a logon attempt was made and rejected for some reason other than those covered by explicit audit records. See MSW2KDB
for more details.
This problem may occur if Exchange Server 2003 is installed on a computer that is running Windows 2000 Server Service Pack 3 and the Exchange Server 2003 computer is heavily loaded. See ME817310
for more details.
From a newsgroup post: "The 537 event is common when Kerberos fails. The operation will not necessarily fail, as the Kerberos failure might be followed immediately by a successful NTLM logon (look up "SNEGO" on MSDN to see how we try Kerberos first, then NTLM, for many authentication operations).
There are two likely reasons why this occurred:
1) No explicit Kerberos trust between the domain containing the machine doing the accessing and the domain containing the machine being accessed; in other words only an external trust or no trust between the domains.
2) The SPN for the target machine was unavailable to the requesting machine, at the time of the request. This could be due to a lack of routing hints on the trust, or due to the absence of the SPN in the directory. The SETSPN utility in the Windows 2000 Resource Kit can be used to see if the SPN is in place, and to re-register it if not (SETSPN.EXE -L COMPUTERNAME)".
From a newsgroup post: "If you are using protocol transition, this means you have to satisfy the following requirements:
1) The Domain must be in Windows 2003 native mode.
2) Act as part of operating system (TCB) privilege has to be granted to the process that calls “WindowsIdentity” on the front-end machine (where the code runs) and not on the domain controller. Please see the Kerberos protocol transition whitepaper for more details on these requirements".
- Error code: 0xC000006D - From a newsgroup post: "Generally speaking, status code 0xC000006D means "STATUS_LOGON_FAILURE, the attempted logon is invalid. This is either due to bad username or authentication information. Status code 0xC0000133 means STATUS_TIME_DIFFERENCE_AT_DC. The problem could be caused because there is a time difference (greater than 5 minutes) between the two computers. Can you logon the domain from this workstation or can you access the network sharing from this workstation? Please go to the workstations and check the time settings. If you can successfully logon to the domain from the workstations and access the network resources, you can ignore this event message.
I would like to suggest you go to the SBS 2003 server and check the time service status. Open “Services” console in “Administrative Tools”. Double-click “Windows Time” service. If the time service is disabled, please follow the steps below to start the services:
1. Open Services console in “Administrative Tools”.
2. Double-click Windows Time service. Change the startup type from Disabled to Automatic.
3. Open Registry editor (regedit); navigate to the following registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\. Double-click “Type” value in the right panel. Change the value data from NoSync to NT5DS.
4. Go to the service console, double-click the Windows Time service, and click “Start” button to start the service.
5. Check the settings on the firewall (router or ISA firewall). Make sure that outgoing UDP 123 port request is allowed. The SBS server will use this port to synchronize the time with an external time source (on the Internet).
6. This problem can also occur if the Time service is not started on the client computers or the clients are pointing to the wrong timeserver for sync. By default, it should be the SBS 2K3 server.
For a Windows XP computer, you should run the following at a command prompt:
“w32tm /monitor /computers:localhost”.
ICMP: 0ms delay.
NTP: +0.0000000s offset from local clock
RefID: ntdev-dc-10.ntdev.microsoft.com [x.x.x.x]
The computer returned on the RefID line is the timeserver with whom the client is synchronizing its time.
For a Windows 2000 computer you should run the following at a command prompt:
w32tm -v –once.
In the output, search for the following lines:
NTP: ntpptrs  - <IP address>
PORT pinging to -123
Connecting to "\\<fqdn>" (IP address).
The "Connecting to" line gives you fully qualified domain name and IP address of the SBS server that is providing time synchronization. It also provides the port (123) that the Windows Time Service is utilizing. You can find more information by reading ME314054
This problem might also be caused by a “loopback check” security feature that is designed to help prevent reflection attacks on your computer. This feature was introduced in Windows XP SP2 and Windows Server 2003 SP1. Read ME896861
for information on resolving this problem.
for additional information on this event.