• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

NDR and Event ID 529

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2000] >> Server Security >> NDR and Event ID 529 Page: [1]
Login
Message << Older Topic   Newer Topic >>
NDR and Event ID 529 - 13.Aug.2002 1:08:00 AM   
adukart

 

Posts: 148
Joined: 30.Nov.2001
From: Dickinson, ND
Status: offline
Why is it that when I get an NDR I also get a logon error?

Here are my records:

This is the Event Log Error:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 8/12/2002
Time: 2:02:12 PM
User: NT AUTHORITY\SYSTEM
Computer:
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: 2KSBSVR1$
Domain: TAYLOR
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: 2KSBSVR1
This is what is in my SMTP log:
2002-08-12 20:02:12 207.5.251.242 2ksbsvr1.taylorcommunity.org SMTPSVC1 192.168.0. 0 EHLO 250 -
2002-08-12 20:02:12 207.5.251.242 2ksbsvr1.taylorcommunity.org SMTPSVC1 192.168.0. 0 x-exps 0 -
2002-08-12 20:02:12 207.5.251.242 2ksbsvr1.taylorcommunity.org SMTPSVC1 192.168.0. 0 x-link2state 200 -
2002-08-12 20:02:12 207.5.251.242 2ksbsvr1.taylorcommunity.org SMTPSVC1 192.168.0. 0 MAIL 250 -
2002-08-12 20:02:12 207.5.251.242 2ksbsvr1.taylorcommunity.org SMTPSVC1 192.168.0. 0 RCPT 250 -
2002-08-12 20:02:12 207.5.251.242 2ksbsvr1.taylorcommunity.org SMTPSVC1 192.168.0. 0 RCPT 250 -
2002-08-12 20:02:13 207.5.251.242 2ksbsvr1.taylorcommunity.org SMTPSVC1 192.168.0. 0 xexch50 354 -
2002-08-12 20:02:13 207.5.251.242 2ksbsvr1.taylorcommunity.org SMTPSVC1 192.168.0. 0 DATA 250 -
2002-08-12 20:02:13 207.5.251.242 2ksbsvr1.taylorcommunity.org SMTPSVC1 192.168.0. 0 QUIT 0 -

This is the NDR (the e-mails are from someone outside the domain):
Your message did not reach some or all of the intended recipients.

Subject: parts order
Sent: 8/12/2002 2:04 PM

The following recipient(s) could not be reached:

Dwolf@mydomain.com on 8/12/2002 2:02 PM
A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients. Contact your administrator.
<mail.steffes.com #5.3.5>

Thanks for the help,
Amy
Post #: 1
RE: NDR and Event ID 529 - 13.Aug.2002 10:52:00 AM   
koggen

 

Posts: 980
Joined: 31.Oct.2001
From: Göteborg - Sweden
Status: offline
You have three issues here:

1) the event log

The event log sometimes get filled with these events. I read a KB article a long time ago that this was some sort of "feature", i.e. MS didn't know why it was happening, but I also have noticed that this can happen if your servers and clients are out of sync (i.e. computers aren't time synchronized). Making sure that all machines have valid settings for the w32time utility has changed the frequency of this occurence. The event is logged whenever an authentication process is needed (w2k computer machine accounts use this on a regular basis).

2) the smtp log

Seems alright to me. You have a clean log meaning that the message was accepted. All responses are 250 = OK. The 354 response means "Start mail input" and is normal. Check out http://developer.netscape.com/docs/manuals/messaging/msdkc/asdk2.htm#1013897 for more information on the SMTP response dialog.

3) the NDR

From http://support.microsoft.com/default.aspx?scid=kb;EN-US;q284204 we can learn that 5.3.5 means "Loop-back detected (server is configured to loop back on itself)", which indicates a misconfiguration on your server. Most likely you have multiple Virtual Servers installed with ambigous port and ip settings. I would guess that the event log entry you mentioned is caused by the VS trying to authenticate in anyway (which in it self may be totally ok), but since that might trigger a NT challenge response (basically a login attempt) you can expect the event log entry. Make sure that you virtual servers are correctly configured!

// Johan

(in reply to adukart)
Post #: 2
RE: NDR and Event ID 529 - 13.Aug.2002 6:04:00 PM   
adukart

 

Posts: 148
Joined: 30.Nov.2001
From: Dickinson, ND
Status: offline
I only have one virtual server. Is there an article that you know of that would tell me the correct way to configure the VS? The NDR was sent to the sender not to my domain I have it sending the admin a copy of NDR's so is it my VS configured incorrectly or is it theres?

Thank You,
Amy

(in reply to adukart)
Post #: 3
RE: NDR and Event ID 529 - 14.Aug.2002 11:46:00 PM   
koggen

 

Posts: 980
Joined: 31.Oct.2001
From: Göteborg - Sweden
Status: offline
I don't know of an article on how to configure the VS. But I've posted some screenshots from one of my servers at http://www.sandqvist.pp.se/vs/. We don't use a SMTP connector so these settings should work fine if you have a similar setup. There's an article though on how to configure a SMTP connector at http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q265293&.

It seems that the remote system is the one that's wrongly configured. The problem with many NDR:s is though that the information can be misleading! Check if thereĆs an attachment to the NDR. Save this to disk and open it separately (Outlook will for some reason donĆt display attachments to NRD:s from the preview pane or when opened). If there is an attachment you will probably find the message that caused the NDR as the attachment. Check any information here. Sometimes the server indicated in the NDR is just the reporting server (i.e. to you), and not the server which created the NDR from the beginning. In these cases you must check the message (if attached) to find out more.

Hope this will help you a little more!

// Johan

(in reply to adukart)
Post #: 4
RE: NDR and Event ID 529 - 15.Aug.2002 12:28:00 AM   
adukart

 

Posts: 148
Joined: 30.Nov.2001
From: Dickinson, ND
Status: offline
My VS seems to be set up correctly. I am getting at least 15 of the 129 events in my Security log every day. I could have been getting these before but I just turned on auditing for unsuccsessful logon attempts so now I see them. I don't know if it is something to worry about or not but thanks for the help anyway.

I do have a new question though. I am receiving these NDR's and I am just wondering if these are because of my setup or because of theres. These two KB articles (Q274638, Q283287) describe them exactly but after reading them I still can't determine if it's my fault. Could someone please read them and let me know what they think?

Thank very much Johan for all your help so far,
Amy

(in reply to adukart)
Post #: 5
RE: NDR and Event ID 529 - 15.Aug.2002 12:29:00 AM   
adukart

 

Posts: 148
Joined: 30.Nov.2001
From: Dickinson, ND
Status: offline
Oh, sorry, one more thing it's the 5.7.1 NDR's not the 5.7.3s.

(in reply to adukart)
Post #: 6
RE: NDR and Event ID 529 - 17.Sep.2002 10:41:00 PM   
adukart

 

Posts: 148
Joined: 30.Nov.2001
From: Dickinson, ND
Status: offline
From studying my server I found that I get a these 529 logon failures each and every time that we receive an e-mail from an Exchange 2000 other than our own. Does anyone know why this is happening?

(in reply to adukart)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2000] >> Server Security >> NDR and Event ID 529 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter