Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Windows Networking > Event ID 538 in Windows Server 2003

Reply
Thread Tools Display Modes

Event ID 538 in Windows Server 2003

 
 
Dave
Guest
Posts: n/a

 
      09-26-2006, 02:09 PM
Hi,

I am wondering if someone can answer a question I have about this event ID
538.

I am trying to determine what exactly this event indicates when it has an
actual user's name and is a type 3? From what I have researched type 3 could
indicate more than one type of log off, however I am trying to determine what
types of log off's it indicates with the username.

I'm running a Windows Server 2003 with Citrix terminal services running as
well.

Thanks for any help,
Dave
 
Reply With Quote
 
 
 
 
Robert L [MVP - Networking]
Guest
Posts: n/a

 
      09-26-2006, 04:00 PM
The Event ID 538 is usually due to token leak. Based on MS,
"The issue is a class of bug called a ‘Token Leak’.
It is fixed for many cases (but not all) in Service Pack 4.
It's not possible to fix in all cases because applications
can cause this problem.". As explained above that even
if you install SP4, some of the Token Leak problems that
are associated with the OS will be removed but as far as
the third party ap

Logon Failure: Account locked out Symptoms: The server Event Viewer lists Event ID 539: Logon Failure: Reason: Account locked out User Name: <blin> Domain: <chicagotech.net> Logon Type: 3 ...
www.chicagotech.net/troubleshooting/event539.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Dave" <(E-Mail Removed)> wrote in message news:A855BF22-A78A-499C-A828-(E-Mail Removed)...
Hi,

I am wondering if someone can answer a question I have about this event ID
538.

I am trying to determine what exactly this event indicates when it has an
actual user's name and is a type 3? From what I have researched type 3 could
indicate more than one type of log off, however I am trying to determine what
types of log off's it indicates with the username.

I'm running a Windows Server 2003 with Citrix terminal services running as
well.

Thanks for any help,
Dave
 
Reply With Quote
 
Dave
Guest
Posts: n/a

 
      09-26-2006, 04:32 PM
HI Robert,

Thank you for the reply. I have found other references to this problem with
leaky access tokens. I have been trying to determine if this entry in the
security log is an interactive log on/off event. So far I haven't found
anything definitive to describe what this event ID means when associated with
a userid. My goal is to provide evidence that this event id is not a user
logging in interactively.

Thanks
Dave

"Robert L [MVP - Networking]" wrote:

> The Event ID 538 is usually due to token leak. Based on MS,
> "The issue is a class of bug called a ‘Token Leak’.
> It is fixed for many cases (but not all) in Service Pack 4.
> It's not possible to fix in all cases because applications
> can cause this problem.". As explained above that even
> if you install SP4, some of the Token Leak problems that
> are associated with the OS will be removed but as far as
> the third party ap
>
> Logon Failure: Account locked out Symptoms: The server Event Viewer lists Event ID 539: Logon Failure: Reason: Account locked out User Name: <blin> Domain: <chicagotech.net> Logon Type: 3 ...
> www.chicagotech.net/troubleshooting/event539.htm
>
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
> "Dave" <(E-Mail Removed)> wrote in message news:A855BF22-A78A-499C-A828-(E-Mail Removed)...
> Hi,
>
> I am wondering if someone can answer a question I have about this event ID
> 538.
>
> I am trying to determine what exactly this event indicates when it has an
> actual user's name and is a type 3? From what I have researched type 3 could
> indicate more than one type of log off, however I am trying to determine what
> types of log off's it indicates with the username.
>
> I'm running a Windows Server 2003 with Citrix terminal services running as
> well.
>
> Thanks for any help,
> Dave
>
 
Reply With Quote
 
Robert L [MVP - Networking]
Guest
Posts: n/a

 
      09-26-2006, 04:54 PM
In general, ANONYMOUS LOGON is used by processes that use the null session logons (logons that do not require a user/password combination). Any program or service that is using the System user account is in fact logging in with null credentials. If the operating system encounters a user without any credentials, the user is regarded as having NULL credentials.


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Dave" <(E-Mail Removed)> wrote in message news:6AB1A48F-3933-438A-8361-(E-Mail Removed)...
HI Robert,

Thank you for the reply. I have found other references to this problem with
leaky access tokens. I have been trying to determine if this entry in the
security log is an interactive log on/off event. So far I haven't found
anything definitive to describe what this event ID means when associated with
a userid. My goal is to provide evidence that this event id is not a user
logging in interactively.

Thanks
Dave

"Robert L [MVP - Networking]" wrote:

> The Event ID 538 is usually due to token leak. Based on MS,
> "The issue is a class of bug called a ‘Token Leak’.
> It is fixed for many cases (but not all) in Service Pack 4.
> It's not possible to fix in all cases because applications
> can cause this problem.". As explained above that even
> if you install SP4, some of the Token Leak problems that
> are associated with the OS will be removed but as far as
> the third party ap
>
> Logon Failure: Account locked out Symptoms: The server Event Viewer lists Event ID 539: Logon Failure: Reason: Account locked out User Name: <blin> Domain: <chicagotech.net> Logon Type: 3 ...
> www.chicagotech.net/troubleshooting/event539.htm
>
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
> "Dave" <(E-Mail Removed)> wrote in message news:A855BF22-A78A-499C-A828-(E-Mail Removed)...
> Hi,
>
> I am wondering if someone can answer a question I have about this event ID
> 538.
>
> I am trying to determine what exactly this event indicates when it has an
> actual user's name and is a type 3? From what I have researched type 3 could
> indicate more than one type of log off, however I am trying to determine what
> types of log off's it indicates with the username.
>
> I'm running a Windows Server 2003 with Citrix terminal services running as
> well.
>
> Thanks for any help,
> Dave
>
 
Reply With Quote
 
 
 
Reply

« VPN w2003 - event ID 20050 | WINS Server Error »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows Server 2003 SP1 Event 1030 and 1053 Arp Hiemstra Windows Networking 7 12-06-2005 05:13 PM
Event Error 10016 on Windows Server 2003 kcc Windows Networking 0 09-14-2005 10:17 AM
5719 and 1053 event log errors on Windows 2003 Server Jeremy Windows Networking 1 08-12-2005 01:23 PM
event 1054 on Windows 2003 member server Blake Windows Networking 0 06-28-2005 06:29 PM
Event ID 3019 on Windows 2003 Server Std. SP1 Marc Lueckert Windows Networking 0 05-24-2005 07:53 AM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11