Event ID 680 on Domain Controller from computers with SEP 12.1 installed
|Article:TECH168601|||||Created: 2011-08-31|||||Updated: 2011-11-14|||||Article URL http://www.symantec.com/docs/TECH168601|
After installing Symantec Endpoint Protection version 12.1 client on workstations, the Domain controller began receiving numerous Event ID 680's from computers newly installed with the SEP 12.1 client. This did not happen with the legacy Symantec Endpoint Protection 11.x client. This happens with a migration and clean install of 12.1. Additionally, the workstations exhibit a significant delay or slow performance with some applications.
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Blank
Source Workstation: (Computer name)
Error Code: 0xC0000064
- Windows Small Business Server 2003
- Microsoft ISA Proxy server
- Windows auditing for NTLM authentication on Domain Controller
The issue does not happen when web traffic from a workstation is blocked or when the computer is configured to bypass the ISA proxy and have direct communication with the internet. Packet captures revealed communication with Symantec URLs required and used in new protection technology for 12.1. The required URLs are documented in the following knowledge base article TECH162286: Required exclusions for proxy servers to allow Symantec Endpoint Protection to connect to Symantec reputation and licensing servers.
Symantec is aware of this issue and will update this document when more information is available.
Article URL http://www.symantec.com/docs/TECH168601