Event 537 Is Listed in the Security Event Log (318922)

SYMPTOMS

If failure auditing is enabled on a Windows 2000-based domain controller, the following event may be listed in the Security event log:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 2/27/2002
Time: 10:10:47 AM
User: NT AUTHORITY\SYSTEM
Computer: ROOTDC
Description:
Logon Failure:
Reason: An unexpected error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -

CAUSE

This event may occur if the following conditions exist:

You have a Windows 2000-based domain that hosts user accounts.
You have a trusting Microsoft Windows NT 4.0-based domain that hosts machine accounts.
Windows 2000-based computers are member of the Windows NT 4.0-based domain.
Users of the trusted Windows 2000-based domain log on to Windows 2000-based computers in the Windows NT 4.0-based domain.
When a user logs on to a Windows 2000-based computer, the computer's time is not synchronized with the time on the Windows 2000-based domain controller in the Windows 2000-based domain that validates the user.

Because the Windows 2000-based computer tries to use Kerberos authentication before using NTLM authentication, the computer tries to contact the Windows 2000-based domain controller by using Kerberos. If the time differs by more than the allowed maximum (by default, five minutes), event 537 is logged on the Windows 2000-based domain controller.

Event 537 Is Listed in the Security Event Log (318922)

SYMPTOMS

CAUSE

RESOLUTION

STATUS