Unnecessary Security Failure Audit (Event 577)

ID: Q238185

The information in this article applies to:

Microsoft Windows NT Server version 4.0
Microsoft Windows NT Workstation version 4.0
Microsoft SQL Server version 6.5

SYMPTOMS

When you are using a Remote Procedure Call-based (RPC-based) client/server program, the following Security Failure Audit may be logged in the Security event log:

Event ID: 577 Source: Security Type: Failure Audit Category: Privilege Use
User: User Computer: Computer
Text:
Privileged Service Called:
Server: NT Local Security Authority / Authentication Service
Service: LsaRegisterLogonProcess()
Primary User Name: SYSTEM
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E7)
Client User Name: User
Client Domain: Domain
Client Logon ID: (0x0,0x1234)
Privileges: SeTcbPrivilege

CAUSE

The security audit occurs while the RPC subsystem acquires the user's credentials for authenticated RPC. There are two ways for the code to do this. If the first method does not succeed, the second method is tried. In this case, the first method (calling the LSA directly) does not succeed and generates an Audit Failure entry.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows NT 4.0. For additional information, please see the following article in the Microsoft Knowledge Base:

Q152734 How to Obtain the Latest Windows NT 4.0 Service Pack

This audit does not indicate a security breach and can be safely ignored.

STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article. This problem was first corrected in Windows NT 4.0 Service Pack 6.

MORE INFORMATION

This problem was first observed connecting to Microsoft SQL Server 6.5 with ISQL/W using Multi-protocol as a transport. Failure auditing of "User of User Rights" must be active to receive this Security Audit event.

Additional query words:

Keywords : kbenv kberrmsg ntsecurity
Version : winnt:4.0,6.5
Platform : winnt
Issue type : kbbug