locked
Why do LAN Client accounts automatically log on and off every 20-30 seconds? RRS feed

  • Question


  • While pursuing an answer to a different question, I noticed the Security section of the Event Viewer of my WHS machine showed my online client users logging on and off about twice a minute.  The users are not manually logging on and off.  The clients are on machines that have the connector software installed.

    Why is this happening?

    Thanks!

    Thursday, March 29, 2007 11:45 PM

Answers

  • Reading and understanding the Security event log is not easy.  It requires a good understanding of security models and a "guide" (typically a third-party) because it's not completely documented and some of the terminology is misleading.   It's a great consulting gig!

     

    First off, the WHS clients are not logging on and off.  The logon/logoff event category was mis-labeled by Microsoft years ago.  This category is associated with the authentication of credentials.  What you're seeing are successful authentication events as the clients interact with the server. 

     

    What exactly is going on?  Beats me as the WHS client-server interactions are not documented at this low level. 

     

    Is is a bug?  Only the WHS Team can tell.  My guess is that it's not.  In any case, the logs will be saved until the log limit is reached and the oldest log events start being purged. 

     

    If you're really interested in security auditing (or have a sleeping problem), I recommend http://www.ultimatewindowssecurity.com/ and http://blogs.msdn.com/ericfitz/

    Friday, March 30, 2007 3:21 AM

All replies

  •  Lliam wrote:

    While pursuing an answer to a different question, I noticed the Security section of the Event Viewer of my WHS machine showed my online client users logging on and off about twice a minute. The users are not manually logging on and off. The clients are on machines that have the connector software installed.

    Why is this happening?

    Thanks!

    I believe it's a heartbeat event; the tray icon obtains some information from WHS each time it logs on like that. But I haven't tried to put a packet sniffer in place to figure out what exactly it's learning...

    In any case, there's a bug report on Connect about this.
    Friday, March 30, 2007 12:27 AM
    Moderator
  • Reading and understanding the Security event log is not easy.  It requires a good understanding of security models and a "guide" (typically a third-party) because it's not completely documented and some of the terminology is misleading.   It's a great consulting gig!

     

    First off, the WHS clients are not logging on and off.  The logon/logoff event category was mis-labeled by Microsoft years ago.  This category is associated with the authentication of credentials.  What you're seeing are successful authentication events as the clients interact with the server. 

     

    What exactly is going on?  Beats me as the WHS client-server interactions are not documented at this low level. 

     

    Is is a bug?  Only the WHS Team can tell.  My guess is that it's not.  In any case, the logs will be saved until the log limit is reached and the oldest log events start being purged. 

     

    If you're really interested in security auditing (or have a sleeping problem), I recommend http://www.ultimatewindowssecurity.com/ and http://blogs.msdn.com/ericfitz/

    Friday, March 30, 2007 3:21 AM