Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 5805 Source: NETLOGON

Source
Level
Description
The session setup from the computer <computername> failed to authenticate. The following error occurred: Access is denied.
Comments
 
This error can occur on read only controllers by user or computer accounts that have not been explicitly allowed to cache their passwords via the PRP (Password Replication Policy) for the read only domain controller. Review EV100385 (Administering the Password Replication Policy) on how to add accounts if necessary. So long as the systems can contact a writeable domain controller, this should not be a serious issue. If, however, the PDC is unavailable, the user or computer may not be able to login. This may be accompanied by 5723 errors as well.
I accessed the domain controller and found that the machine account was disabled, I enabled the account and the problem was solved.
This issue is related to replication. However, even after replicating all the DCs I was facing the same issue. Then I had to:

1) Disjoin the member server from the domain
2) Search & delete the computer account of this member server in all DCs
2) Force replication
3) Joint he member server back to the domain.
In one case, this Event ID appeared for a computer account that had been disabled for some time before it was re-enabled. It had probably become invalid.

In another case, this Event ID appeared for a computer account that had been added to the domain but the domain controllers were restored to an earlier point in time.

In another case, this Event ID appeared on a Windows 2003 SP1 domain controller each time a Windows XP SP2 computer was started. This computer could ping the domain controller but not vice versa.
Resolution: Disable the Windows XP Firewall. Remove and re-join the computer to the domain. Consider deleting the computer object in Active Directory users and computers in-between to delete any sub-components of the computer object.
As per Microsoft: "If you do not find multiple instances of the computer name, verify that replication is functioning for the domain that contains the computer account". Refer to TB727057 (Active Directory Operations Overview) for more details.


Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...