Have Integrated Windows Authentication enabled and look at..

I'm trying to determine if a trend is happening and would like to know if it is possible to locate in the IIS log file.

Setup:
IIS 6.0 website with Integrated Windows Authentication only and uses Negotation, NTLM for the 2 Auth headers and extended logging. Most clients use kerneros, based on IE client setting.
Scenerio:
When the user "IE Client" connects to my website and is prompted to put in their login info. If you hit cancel at the prompt, you get an 401.2, if they type bad user info, they get a 401.1. I know from Microsoft's webcast that you allows get one 401.2 for the anonymous to determine Auth header types. I also now that in the local security event log, tracks when users put in bad login info. But how can I get both the hitting cancel and bad info from the iis log file?

Also, logging definitions.
what is the status code 2148074254 and 2148074252 for the field sc-win32-status.

Thanks


#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2004-04-30 19:15:56 W3SVC1333628378 TXAUST1SADEV 150.179.22.35 GET / - 80 - 10.12.97.22 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+SBC) CFID=614364;+CFMAGIC=614364%3A84575031;+CFTOKEN=84575031;+SBC_PROPOSAL_CENTERS_SALESONE_S1LOGINID=2621;+SBCCS=Aa1D5000log0000Eg7R59u4084 - saord.tx.sbc.com 401 1 2148074252 358 617 124
2004-04-30 19:16:05 W3SVC1333628378 TXAUST1SADEV 150.179.22.35 GET / - 80 - 10.12.97.22 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+SBC) CFID=614364;+CFMAGIC=614364%3A84575031;+CFTOKEN=84575031;+SBC_PROPOSAL_CENTERS_SALESONE_S1LOGINID=2621;+SBCCS=Aa1D5000log0000Eg7R59u4084 - saord.tx.sbc.com 401 2 2148074254 1872 515 0

2148074252 is "The logon attempt failed"
2148074254 is "No credentials are available in the security package"

Log the cs-username field. If the user is attempting to send credentials,
the username will be logged. If the user clicks "cancel", then *no* separate
request is sent to the server as far as I know. The browser merely loads the
error page that was sent with the WWW-Authenticate headers.

So, I try to access your secure page (no credentials). IIS logs 401.2. IIS
sends back:
401.2 Status
+
WWW-Authenticate Headers
+
Error Page

If I click cancel, I get shown the error page. If I send back credentials,
whole process repeats.

Cheers
Ken

"Jeremy Smith" <anonymous RemoveThis @discussions.microsoft.com> wrote in message
news:79411F1E-72D6-4ABB-ABA0-96D43F6592B2@microsoft.com...
: I'm trying to determine if a trend is happening and would like to know if
it is possible to locate in the IIS log file.
:
: Setup:
: IIS 6.0 website with Integrated Windows Authentication only and uses
Negotation, NTLM for the 2 Auth headers and extended logging. Most clients
use kerneros, based on IE client setting.
: Scenerio:
: When the user "IE Client" connects to my website and is prompted to put in
their login info. If you hit cancel at the prompt, you get an 401.2, if they
type bad user info, they get a 401.1. I know from Microsoft's webcast that
you allows get one 401.2 for the anonymous to determine Auth header types. I
also now that in the local security event log, tracks when users put in bad
login info. But how can I get both the hitting cancel and bad info from the
iis log file?
:
: Also, logging definitions.
: what is the status code 2148074254 and 2148074252 for the field
sc-win32-status.
:
: Thanks
:
:
: #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem
cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie)
cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes
time-taken
: 2004-04-30 19:15:56 W3SVC1333628378 TXAUST1SADEV 150.179.22.35 GET / -
80 - 10.12.97.22 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+SBC)
CFID=614364;+CFMAGIC=614364%3A84575031;+CFTOKEN=84575031;+SBC_PROPOSAL_CENTE
RS_SALESONE_S1LOGINID=2621;+SBCCS=Aa1D5000log0000Eg7R59u4084 -
saord.tx.sbc.com 401 1 2148074252 358 617 124
: 2004-04-30 19:16:05 W3SVC1333628378 TXAUST1SADEV 150.179.22.35 GET / -
80 - 10.12.97.22 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+SBC)
CFID=614364;+CFMAGIC=614364%3A84575031;+CFTOKEN=84575031;+SBC_PROPOSAL_CENTE
RS_SALESONE_S1LOGINID=2621;+SBCCS=Aa1D5000log0000Eg7R59u4084 -
saord.tx.sbc.com 401 2 2148074254 1872 515 0