Hi,
Sometimes i recive bad login attempts on TMG server in event log. I cant find real ip/hostname with log, because logon process initiated by TMG service. In TMG console section this login name is absent. Please help me with recognizing, who initiate this session!
I replace in log this section %username% - name of user who attept to logon , %domainname% - real name of domain , %servername% - tmg server name.
An account failed to log on.
Subject:
Security ID: NETWORK SERVICE
Account Name: %SERVERNAME%$
Account Domain: %DOMAINNAME%
Logon ID: 0x3e4
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: %username%
Account Domain: %domainname%
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x255c
Caller Process Name: C:\Program Files\Microsoft Forefront Threat Management Gateway\wspsrv.exe
Network Information:
Workstation Name: %servername%
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
"
PS Sorry for my English