Failed Logins from external addresses

Similar Messages

• Proxy login from externally authenticated user

  Hi Experts,
  I created an externally authenticated user in database. And can login without password with below syntax.
  SQL> connect / @TESTDB
  Connected.
  SQL> show user;
  USER is "SCOTT"
  This scott user has a proxy permission to another DBuser PROXY_USER.
  I got the syntax but that works only from Database OS.
  sqlplus [proxy_user]/
  SQL*Plus: Release 11.1.0.6.0 Production on Mon Nov 15 16:28:47 2010
  Copyright (c) 1982, 2010, Oracle. All rights reserved.
  Connected to:
  Oracle Database 11g Release 11.1.0.6.0 - 64bit Production
  I can connect as externally authenticated user from windows CLIENT running on Release 10.2.0.1.0
  SQL> connect / @TESTDB
  Connected.
  But the above mentioned Proxy connectivity syntax fails with below from CLIENT
  SQL> connect [proxy_user]/ @TESTDB
  SP2-0306: Invalid option.
  Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
  where <logon> ::= <username>[<password>][@<connect_identifier>] | /
  But the same syntax works from Database OS!
  I can login from TOAD but can't login from SQLDEVELOPER or SQLPLUS
  My sqldeveloper version is:
  Version 2.1.1.64
  Build MAIN-64.45
  and sqlplus is:
  SQL*Plus: Release 10.2.0.1.0
  Any idea?
  Thanks.
  Edited by: Nadvi on Nov 18, 2010 3:09 PM

  Hi Nadvi
  If you get SQLPLUS working SQLDeveloper (thick jdbc/oci/instant client) is certainly worth trying.
  I am not sure what is the issue with your setup the proxy usecases I am familiar with are:
  Through the SQLDeveloper ui
  There are two ways of doing proxy logins:
  where p1 is proxy user and c1 is proxy client:
  1/single session method (if no 2nd password or distinguished name required)
  on main connection popup
  user: p1[c1]
  password: p1
  2/Two session method
  Main Connection popup
  user: p1
  password p1
  popup connection authentication
  proxy client: c1
  none or password or distinguished name
  -Turloch
  SQLDeveloper Team

• User is not able to Login from external supplier, using the WSS (ICH)

  Hi Gurus,
  The user is not able to login to the server externally from url.
  dev_icm is giving below warnings:
  [Thr 11052] IcmWatchDogThread: watchdog started
  [Thr 11309] ** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject not set  => do
  not trust any intermediary*
  X.509 cert data will be removed from header [http_plg_mt. 720]
  [Thr 11309] =================================================
  [Thr 11309] = SSL Initialization  on  IBM RS/6000 with AIX
  [Thr 11309] =   (700_REL,May  3 2008,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)
  [Thr 11309]   profile param "ssl/ssl_lib" = "/usr/sap/SCA/SYS/exe/run/libsapcrypto.o"
             resulting Filename = "/usr/sap/SCA/SYS/exe/run/libsapcrypto.o"
  [Thr 11309] =   found SAPCRYPTOLIB  5.5.5C pl16  (Jun 10 2004) MT-safe
  [Thr 11309] =   current UserID: "scaadm",  env-var USER="scaadm"
  [Thr 11309] =   using SECUDIR=/usr/sap/SCA/DVEBMGS41/sec
  [Thr 11309] =  secudessl_Create_SSL_CTX():  PSE "/usr/sap/SCA/DVEBMGS41/sec/SAPSSLA.pse" not found,
  [Thr 11309] =      using PSE "/usr/sap/SCA/DVEBMGS41/sec/SAPSSLC.pse" as fallback
  [Thr 11309] = Success -- SapCryptoLib SSL ready!
  [Thr 11309] =================================================
  HTTPS (SSL) settings are as below, i think which means that no ssl certifiacts are required.
  icm/HTTPS/verify_client        = 0
  Kindly help urgently.
  regards,
  MJ

  this is SCM system.
  SSL CA's are set.
  what should be value of the parameters?
  icm/HTTPS/trust_ client_with_ issuer or
  icm/HTTPS/trust_ client_with_ subject
  http and https ssl conections are correctly set.
  I think the SAPSSLA. pse" not found, is not the problem as the parameter icm/HTTPS/verify_ client = 0 is set, it means that no ssl certifiacts are required.
  problem is coming when the system is being accessed from externally using other secure domain name.
  the system is being accessed ok from web urs which is internal, but not external.
  for example in strust tcode  the domain name is *abc.com, which is running fine when accessing the system internally.
  but when the user is accessing this sytem from other secure login from *xyz.com, which is also the same companys domain, then the user not able to login, its showing errir.

• Getting this error from established user, when emailing from external address - This is a permanent error. The following address(es) failed:

  Hi
  It has been reported than an external person is unable to email one of our staff and is getting this bounceback. 
  The problem is, this member of staff has been here for year, emails works fine for everyone else etc, any ideas of the cause of the problem? We are using exchange 2010 fwiw
  Subject: Mail delivery failed: returning message to sender
  This message was created automatically by mail delivery software.
  A message that you sent could not be delivered to one or more of its recipients.
  This is a permanent error. The following address(es) failed: [email protected] 

  Hi,
  I think the sender should check their exchange if there are any problems first.
  Accroding to your description, it seems that this is not your problem.
  Thanks.
  Niko Cheng
  TechNet Community Support

• Secondary email addresses fail login from abroad

  From France the primary email address logs in to webmail OK, all the secondaries fail.
  Ani ideas please?

  it's a webmail issue (connection to that server or not) not a broadband issue. Lots of the wrong type of issue are posted here but since you did not get a reply it is worth posting in the correct forum and that way you are more likely to be helped basically.
  If my post was helpful then please click on the Ratings star on the left-hand side If the the reply answers your question fully then please select ’Mark as Accepted Solution’

• Exchange 2010 Mail Enabled Distribution Group Won't Receive from External Address

  Let me pre-empt the usual first response: yes, I've unchecked "require that all senders are authenticated" on the Message delivery Restrictions properties of Message Delivery Restrictions. I cannot get a message from an external mail server to
  send to an internal mail-enable distribution group. It's working internally. I've checked our ironport and the message is being sent to exchange (at least I think it is).
  How can I troubleshoot this?!
  tfgeorge

  Ironport is definitely sending this email to exchange. Please read:
  06 Jun 2011 08:53:20 (GMT -05:00)
  Protocol SMTP interface Main Interface (IP Gateway IP) on incoming connection (ICID 17720578) from sender IP 65.54.190.154. Reverse DNS host bay0-omc3-s16.bay0.hotmail.com verified yes.
  06 Jun 2011 08:53:20 (GMT -05:00)
  (ICID 17720578) ACCEPT sender group UNKNOWNLIST match sbrs[-1.0:6.0] SBRS 3.0
  06 Jun 2011 08:53:20 (GMT -05:00)
  Start message 2136865 on incoming connection (ICID 17720578).
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 enqueued on incoming connection (ICID 17720578) from
  [email protected].
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 on incoming connection (ICID 17720578) added recipient ([email protected]).
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 contains message ID header '<[email protected]>'.
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 original subject on injection: TEST
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 (1471 bytes) from
  [email protected] ready.
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 matched per-recipient policy DEFAULT for inbound mail policies.
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 scanned by Anti-Spam engine: CASE. Interim verdict: Negative
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 scanned by Anti-Spam engine CASE. Interim verdict: definitely negative.
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 scanned by Anti-Spam engine: CASE. Final verdict: Negative
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 scanned by Anti-Virus engine. Final verdict: Negative
  06 Jun 2011 08:53:20 (GMT -05:00)
  Message 2136865 queued for delivery.
  06 Jun 2011 08:53:20 (GMT -05:00)
  SMTP delivery connection (DCID 1658840) opened from IronPort interface 100.100.100.100 to IP address 100.100.100.100 on port 25.
  06 Jun 2011 08:53:20 (GMT -05:00)
  (DCID 1658840) Delivery started for message 2136865 to
  [email protected].
  06 Jun 2011 08:53:21 (GMT -05:00)
  (DCID 1658840) Delivery details: Message 2136865 sent to
  [email protected]
  06 Jun 2011 08:53:21 (GMT -05:00)
  Message 2136865 to
  [email protected] received remote SMTP response '2.6.0 <[email protected]> [InternalId=919833] Queued mail for delivery'.
  tfgeorge

• Failed booting from external usb hdd

  Hey Community!
  I struggle at backing up my arch linux operation system. I found this instruction but for newbies as me it seems to be a little bit hard to follow:
  Full_System_Backup_with_rsync
  The backup itself with rsync and the installation of GRUB bootloader seemed to be successful, but if I plug in the external hdd in another PC and boot from it, GRUB fails with ERROR 21.
  I think, that my menu.lst is somehow incorrect. What I did:
  full rsync to /mnt/usbHDD (mounted from /dev/sdb1)
  my external hard disk is partitioned like that:
  || 160 gb ext4, sdb1 | UNUSED rest ||
  blkid gives me that:
  /dev/sda1: UUID="8f7f3e77-8acb-4724-862a-6c9678cadd29" TYPE="ext2"
  /dev/sda2: UUID="c21b9563-ebf9-4b28-882d-fd8322693627" TYPE="swap"
  /dev/sda3: UUID="78aad592-62d5-4752-8e04-50f17ff19705" TYPE="ext4"
  /dev/sda4: UUID="b5cba3a9-5009-485f-b53c-6be526b51f55" TYPE="ext4"
  /dev/sdc1: LABEL="storageHDD" UUID="49afd07d-1c11-448f-9b06-f7477cbe1b7c" TYPE="ext4"
  The /etc/fstab of the original OS is:
  # /etc/fstab: static file system information
  # <file system> <dir> <type> <options> <dump> <pass>
  tmpfs /tmp tmpfs nodev,nosuid 0 0
  UUID=78aad592-62d5-4752-8e04-50f17ff19705 / ext4 defaults 0 1
  UUID=8f7f3e77-8acb-4724-862a-6c9678cadd29 /boot ext2 defaults 0 1
  UUID=b5cba3a9-5009-485f-b53c-6be526b51f55 /home ext4 defaults 0 1
  UUID=c21b9563-ebf9-4b28-882d-fd8322693627 swap swap defaults 0 0
  The /boot/grub/menu.lst of the original OS is:
  # general configuration:
  timeout 5
  default 0
  color light-blue/black light-cyan/blue
  # (0) Arch Linux
  title Arch Linux
  root (hd0,0)
  kernel /vmlinuz-linux root=/dev/disk/by-uuid/78aad592-62d5-4752-8e04-50f17ff19705 ro
  initrd /initramfs-linux.img
  # (1) Arch Linux
  title Arch Linux Fallback
  root (hd0,0)
  kernel /vmlinuz-linux root=/dev/disk/by-uuid/78aad592-62d5-4752-8e04-50f17ff19705 ro
  initrd /initramfs-linux-fallback.img
  The /etc/fstab of the backed up (on hdd) OS is:
  # /etc/fstab: static file system information
  # <file system> <dir> <type> <options> <dump> <pass>
  tmpfs /tmp tmpfs nodev,nosuid 0 0
  UUID=78aad592-62d5-4752-8e04-50f17ff19705 / ext4 defaults 0 1
  UUID=8f7f3e77-8acb-4724-862a-6c9678cadd29 /boot ext2 defaults 0 1
  UUID=b5cba3a9-5009-485f-b53c-6be526b51f55 /home ext4 defaults 0 1
  UUID=c21b9563-ebf9-4b28-882d-fd8322693627 swap swap defaults 0 0
  The /boot/grub/menu.lst of the backed up (on hdd) OS is:
  # (0) Arch Linux
  title Arch Linux
  root (hd0,0)
  kernel /vmlinuz-linux root=/dev/sdb1 ro
  initrd /initramfs-linux.img
  # (1) Arch Linux
  title Arch Linux Fallback
  root (hd0,0)
  kernel /vmlinuz-linux root=/dev/sdb1 ro
  initrd /initramfs-linux-fallback.img
  I don't have a clue what to change, since it is not clearly specified in the wiki...I followed exactly the instructions in the wiki, besides the include and excludes for rsync but that doesnt really matter
  Appreciate your help
  Last edited by athal (2012-06-25 21:09:16)

  You should adapt the menu.lst of the backed up OS like this:
  # (0) Arch Linux
  title Arch Linux
  root (hd1,0)
  kernel /boot/vmlinuz-linux root=/dev/sdb1 ro
  initrd /boot/initramfs-linux.img
  explanation:
  - Your root should be (hd1,0) because the external disc is the second hard disc (assuming root=/dev/sdb1 is correct).
  - The kernel and initrd line should have /boot, because you don't have a seperate boot partition.
  Also, you didn't adapt your fstab of the backed up hard disk. In particular, you have to remove the entries for /boot, /home and swap. The entry of root file system is also wrong, because you still have the old UUID in it:
  # /etc/fstab: static file system information
  # <file system> <dir> <type> <options> <dump> <pass>
  tmpfs /tmp tmpfs nodev,nosuid 0 0
  /dev/sdb1 / ext4 defaults 0 1
  Finally, I think not following the excludes in the wiki will also cause problems.

• B2B login from External Site

  Hi All
  I have an existing website.  As part of that website I have an area that customers can enter a username and password and login.
  How can I redirect that login button to log into my webtools database
  Regards
  Vincent

  Code:Other users have used a "single sign on" sort of solution. The code below is put into an ASPX page in the plug-ins directory the page is then called from a form on the existing website.
  Here is the code:
  >
  >    protected void Page_Load(object sender, System.EventArgs e)
  >    {
  >        string password = "cex2006";
  >        string returnto = "~/common/accounts/myaccount.aspx";
  >        if (Request.Form["userid"] != null) {
  >            if (Request.Form["password"] != null && >Request.Form["password"] == password) {
  >                NPUser u = new NPUser(Request.Form["userid"]);
  >                NPAccount a = new NPAccount(u.AccountID);
  >                if (u.Initialized) {
  >                    if (u.ActiveFlag && a.Active) {
  >                        base.Login(u.UserID, u.AccountID);
  >                        u.MarkLogin(base.Request.UserHostAddress);
  >                        u.ResolveCarts(base.SessionID);
  >                        Response.Redirect(returnto);
  >                    } else {
  >                        Response.Write("Account Locked");
  >                    }
  >                } else {
  >                    Response.Write("User not In System");
  >                }
  >            } else {
  >                Response.Write("No master password specified or
  > master password incorrect");
  >            }
  >        } else {
  >            Response.Write("No userid specified");
  >        }
  >    }
  >   
  > 
  >

• Sending to Distribution Groups from External Addresses

  Hi,
  I am trying to send to a EX2013 Distribution list from the outside world. The list contains both internal users and external contacts. If I send it from internally the list gets send out correctly, if i try and send it out from the outside world only internal
  users receive the emails but there is no errors or NDRs to tell me why.
  I have allowed '<label for="ResultPanePlaceHolder_EditMailGroup_deliveryManagementSection_contentContainer_rblRequireSenderAuthentication_1" id="ResultPanePlaceHolder_EditMailGroup_deliveryManagementSection_contentContainer_rblRequireSenderAuthentication_1_label">Senders
  inside and outside of my organization' in the Delivery Management tab.</label>
  I do use GFI which shows the emails but just says OK so it doesn't seem like its that which is the issue.
  Can anyone help please. I did do a Powershell but cannot remember what it was.

  Hi ,
  On my side i will not prefer ecp for message tracking. Instead i will prefer EMS.
  Below command will be used on the exchange management shell to have a grid-view on the output.
  Get-TransportService | Get-MessageTrackingLog -Sender "external user" -ResultSize unlimited -MessageSubject "test" | Select-Object eventid,sender,timestamp,@{Name="Recipients";Expression={$_.recipients}},@{Name="RecipientStatus";Expression={$_.recipientstatus}},messagesubject
  | Out-GridView
  (or)
  Below command will be used on the exchange management shell to have the output on the csv file.
  Get-TransportService | Get-MessageTrackingLog -Sender "External user" -ResultSize unlimited -MessageSubject "test" | Select-Object eventid,sender,timestamp,@{Name="Recipients";Expression={$_.recipients}},@{Name="RecipientStatus";Expression={$_.recipientstatus}},messagesubject
  | Export-csv c:\nithya.csv
  Reference
  Link for message tracking : http://exchangeserverpro.com/exchange-2010-message-tracking-log-search-powershell/
  Thanks & Regards S.Nithyanandham

• Problem with failed logins for "Workstation" objects

  All
  I am currently seeing an issue in my environment since an upgrade of the
  workstation ZENworks client to 6.5.
  Basically our environment was all ZEN 3.2, over the last month we have
  been force upgrading each site to ZENworks 6.5 for clients through the
  login script. Since then we have had failed logins from various
  workstations and the only way to resolve the issue, currently, is to
  delete the workstation object and let it re-create itself which does
  resolve the issue.
  From a site perspective I am not in a position to delete 2000 workstaion
  objects so they can re-register into the tree so I was wondering if
  anyone had seen anything like this and knew how to resolve it?
  Current count on Health Monitor:
  Failed Logins Per Hour 3038 6096 N/A
  Example Error:
  Time: Monday, 27-11-2006 9:18 am
  Address: IP 165.198.211.58
  User: .CN=PUKWUL01523.OU=WKSTS.OU=THEALE.OU=UK.O=FLE.T=F LE-NDS.
  I was thinking it may be a rights issues of some sort but any help
  greatly received!!!!!
  Paul

  > OK, we have tried that and it didnt work unfortunatly, we have also added
  > public rights to the workstation container to see if it was a rights
  > issue of some sort but again this didnt work.
  >
  > Paul
  I did see this issue a while ago when moving from 3.2 to 6.5
  What I might suggest is trying to force the upgraded PCs to create "new"
  workstation objects.
  As part of the upgrade process, unregister the Workstation Objects 1st,
  then run the agent install. Have the ZFD7 Import policy create the
  workstation Objects with a slight different name or in a slightly different
  location.
  I dont recall the details exactly so I wont say too much since I will not
  have the facts 100% correctly, but it was an issue in which the old
  workstation objects would lose the ability to authenticate after a few days
  because of a switch in the WS Manager.
  By having new objects made, the issue would be avoided.
  The old ones should go aways shortly due to automatic workstation cleanup.

• Can't access apache webserver from external IPs with 10.5.5

  I've just setup a new install of 10.5.5. I have one website configured on port 443 with SSL enabled. It all works fine internally.
  My router forwards external requests on 443 on to the local machine (192.168.5.1) which I can see working as the server's firewall is logging the access as accepted:
  Nov 24 19:37:10 server ipfw[4657]: 12308 Accept TCP 82.132.136.215:58095 192.168.5.1:443 in via en0
  So neither the router nor the OS X server firewall is blocking the request, but the webserver is not responding. There is no mention of the access request in the apache access or error log.
  As mentioned, the server is working perfectly from local IPs on the same subnet. netstat shows this setup for port 443:
  tcp46 0 0 *.443 . LISTEN
  Any one any ideas on what I can do to diagnose this? I had this working perfectly with OS X client's apache but since installing the server version I have no access from external IPs.
  Cheers
  Russell

  Hi Harry, as expected, telnet server 22 works and responds with
  Escape character is '^]'.
  SSH-2.0-OpenSSH_5.1
  But telnetting to 443 fails to connect after a minute or so and responds with
  telnet: connect to address XX.XX.XX.XX: Operation timed out
  telnet: Unable to connect to remote host
  It may well be something to do with my IP setup. Internally, my network is on 192.168.5.X/255.255.255.0. My server is 192.168.5.1 and also provides internal DNS. Telnet works from internal IPs.
  Externally I have a static IP and external DNS requests resolve to this static IP (as I can ssh to myserver.mydomain.com from external addresses and 'host myserver.mydomain.com' returns the correct info).
  Perhaps Apache isn't responding because its seeing a request to the external IP address coming in, but I thought setting the site to respond to address 'any' should over come this. It worked fine with the client.
  Cheers
  Russell

• SQL Failed login Report - SSRS or HTML

  Working on to create SSRS or HTMl Report for Failed Login from more then one server. 
  1) Get all Failed login information with server name and store it into one table 
  2) Create SSRS report. 
  Or If anyone has better script and Idea..
  Thanks 
  Please Mark As Answer if it is helpful. \\Aim To Inspire Rather to Teach A.Shah

  Hi,
  You can use the sp_readerrorlog to get the current error log and only return failed logins. See:
  Auditing Failed Logins in SQL Server
  Simply, you can add multiple data sources and datasets with sp_readerrorlog stored procedure. The number of them depends on the number of SQL Servers which you want to audit. And add multiple tables in your report with the corresponding datasets in your
  report.
  You can use PowerShell to retrieve the information from multiple servers. It is similar to the method which mentioned in the following articles:
  Check the Last SQL Server Backup Date using Windows PowerShell
  http://www.mssqltips.com/sqlservertip/1784/check-the-last-sql-server-backup-date-using-windows-powershell/
  Retrieve a List of SQL Server Databases and their Properties using PowerShell
  http://www.mssqltips.com/sqlservertip/1759/retrieve-a-list-of-sql-server-databases-and-their-properties-using-powershell/
  Automate collection and saving of failed logins for SQL Server
  http://www.mssqltips.com/sqlservertip/1750/automate-collection-and-saving-of-failed-logins-for-sql-server/
  Hope the information helps.
  Tracy Cai
  TechNet Community Support

• BCS - Message from External System : 'Login failed for user 'NT AUTHORITY\IUSR'.'.

  Hello,
   I have create a an external content type .
   I Choose "Connect with user's Identity".
   I create a external list that uses the ExternalContentType.
   When I try open the external list from browser by User "TestUser" . I get the following error "Message from External System : 'Login failed for user 'NT AUTHORITY\IUSR'.'"
     My Question :
         I need to know why pass the credential "NT AUTHORITY\IUSR" to connect to the data base not the
          current log in"TestUser" ?  How Can I solve it ?
          Thanks
           Hema
  ASk

  Hi,
  did you configure Kerberos delegation?
  NTLM fails when you try to open external list from client computer, because SharePoint cannot pass user's identity - "Double Hop" issue.
  Take a look at confguring Kerberos for SharePoint 2010 white paper
  Download Configuring Kerberos Authentication for Microsoft SharePoint 2010 Products from Official Microsoft Download Center
  http://www.microsoft.com/en-us/download/details.aspx?id=23176
  Robi MCT Kompas Xnet d.o.o. Ljubljana | blog: http://xblogs.kompas-xnet.si | website: http://www.kompas-xnet.si
  Slovenia
  Please vote if you find reply useful or mark it as answer.
  Thank you

• Network (IP) address is no longer listed as the source of multiple failed login attempts - Events 4776 in Windows 2008 R2

  Our Windows 2008R2 security log is full of failed login attempt events 4776, but we're unable to block them because no IP address is provided for the network source of these attempts - like it was in Windows 2003 Server.
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          9/26/2012 2:32:27 AM
  Event ID:      4776
  Task Category: Credential Validation
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      MAIL.XYZ.COM
  Description:
  The computer attempted to validate the credentials for an account.
  Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Logon Account:    admin
  Source Workstation:    MAIL
  Error Code:    0xc0000064
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>4776</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>14336</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2012-09-26T06:32:27.570062500Z" />
      <EventRecordID>18318</EventRecordID>
      <Correlation />
      <Execution ProcessID="452" ThreadID="540" />
      <Channel>Security</Channel>
      <Computer>MAIL.XYZ.COM</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
      <Data Name="TargetUserName">admin</Data>
      <Data Name="Workstation">MAIL</Data>
      <Data Name="Status">0xc0000064</Data>
    </EventData>
  </Event>

  The user names are all different in these log events, and they constantly change, which may indicate a hacking attempt.  However, in Windows 2003 these type of events looked like this, showing the IP address the request came from, so we could trace
  and block them -- but not in Windows 2008:
  Logon Failure:
  Reason: Unknown user name or bad password
  User Name: s
  Domain: MAIL
  Logon Type: 10
  Logon Process: User32 
  Authentication Package: Negotiate
  Workstation Name: MAIL
  Caller User Name: MAIL$
  Caller Domain: XXXX
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 3728
  Transited Services: -
  Source Network Address: 202.67.170.186
  Source Port: 57365

• Airport Extreme is allowing access to screen sharing, file sharing from external IP addresses (some from China, Canada etc)

  How to get control over the ports/port forwarding etc in Airport Extreme?
  How to make AE drop packets to certain ports from external ports.  Or create whitelist/blacklists?
  I figured out where the MAC filtering is!  (It is inside the Timed Access Control).  I wish it had a list of connected device and allowed me to select, name and add them.
  I am getting requests from Chinese IP to the screen sharing ports forwarded to my iMac.  Had requests to other ports as well.  There was one IP address from CANADA too.
  I want to open file sharing for local use only.

  Why is Airport Extreme forwarding requests for screen sharing from external ip addresses to my imac?  I don't have a public address, nor use dynamic dns service, and I have removed the server app (at least I think I have, but Apple Store doesn't think so).