Thursday, 2 October 2008

SBS - Event ID 537 NTLM Logon Errors - 0x80090308 and Trend

As we go along with this problem on our client's SBS 2003 box, Trend is seemingly helpless to correct the problem.

The e-mail support was horrendous. Unfortunately, things did not work out at all.

From there, an escalation was made and we were put in touch with B. who was somewhat helpful via telephone ... though her script only went so far before we were asked to send the entire server log set to Trend.

We have not heard back since ... though it has only been since late last week.

Here is our initial post on the problem from July: SBS - Trend Worry Free Business Security Event ID 537.

We have been hearing from others about this problem on their SBS box or their client's SBS boxes too.

The error:

Security 537 2/10/2008 4:44 AM 16,044 *

Logon Failure: Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Èù
Authentication Package: NTLM
Workstation Name:
Status code: 0x80090308
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -

And, something that came to us via one person who contacted us as a result of the first post on this issue that causes us to pause:

Dear XXXXXX,
This is an update.
According to RD, the event ID 537 is caused by TMUFE, which is our Web Reputation service engine.
The behaviour of TMUFE will be as follows:

  1. Connect to Proxy Server without authentication.
  2. Proxy server return access denied (Event ID 537) and request authentication.
  3. Connect to Proxy Server with configured user name/password.
So it is normal for the security warning to show up on event logs of the SBS server.
Thank you and have a great day!
Best regards,
Txxxx Cxxxx
Systems Engineer
Australia Technical Support Center
TrendLabs HQ, Trend Micro Incorporated

And, just tonight as this post was being written, the following showed up in our Experts-Exchange Inbox: SBS performance report displays thousands of event id 537 errors. Apparently the above note was sent to the person posing the question who has 5 SBS servers showing the problem.

The above mentioned services were indeed a part of our troubleshooting with B. Especially when it came to having ISA on the box. But, if there were authentication issues, updates too should fail which they were not.

This situation is going from bad to worse in a hurry. :(

Trend, better pull up your socks and get this fixed in a hurry, because right now we are on the edge of walking away ... as our clients that have the product installed are not impressed either ... especially this one: Trend Micro Worry Free Security is not so worry free?

ForeFront and Windows Live OneCare for Server on SBS 2008 are looking more and more attractive everyday ... with ExchangeDefender sitting in front!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

4 comments:

stryqx said...

If the box has got ISA on it, then the Web Reputation proxy username and password both need to be less than 14 characters. You may need to remove the DOMAIN\ component from the username to get under the limit.

Taken from recent posts to the ANZ-SMB-ITS Yahoo Tech Group. Kudos to both Robert Crane and David Benet for nutting this one out.

Philip Elder Cluster MVP said...

Chris,

Now, if Trend came up with that, all would be well! ;)

In some cases, the combination of password and username only will still be more than 14 characters if using the domain admin account.

So, a restricted simple user with no rotating password such as we do for SQL would be in order to meet that minimum.

I will look into this further ... it is too bad that Trend dropped the ball on this one ... it sure has led to a bunch of frustration for us.

Philip

Anonymous said...

Hi Philip,

All my SBS clients use TM csm 3.6 and all my clients have the SBS Premium version. At this moment I did 2 upgrades (myself and a nearby client) and both had the same problems:
a. the ones you describe, exactly the same
b. Both updates had problems with the update of the Exchange server part.
Next to that I have the idea that if servers have 2Gb on board unexpected behaviour (spontanious ending Exchange functionality, spontanious ending Firewall service) arise.
I contacted TM Netherlands about this: no solutions. Not good!!!
Regards
Leen Kleijwegt
CORBUS Netherlands
Dedicated Small Business Server Specialist
Certified Small Business Specialist

Rod Dines said...

Try this..It worked for me...

http://support.microsoft.com/kb/896861


The reason why it needs fixing after Trend WFBS is installed is the REAL QUESTION but this fixes the symptom