Trigger an Action using Windows Server 2008 Event Viewer
The Microsoft Windows Server 2008 Event Viewer is a whole new program inside the Operating System, the changes made to it were completely significant and rich in new features. There are so many things that you can now do with Event Viewer that it is worth to take some time off and play with it. The new Event Viewer in Windows Server 2008 bring also new security capabilities for auditing and more in depth explanation of the events. In this area my recommendation is that you read the following article Auditing and Compliance in Windows Server 2008 from TechNet Magazine.
I’m also pointing out about this because recently I worked again in an ISA case where the infamous 5783 was happening and again the challenge was to get the data while the issue was happening. During the call I was explaining that the new eventmon can assist a lot on that since we can attach an action to the event, as you can see below:
Obviously the "wow" came out due this feature that we asked so much for many years and the “what” was followed by the statement: so are you saying that TMG still have this problem?
Let me clarify this once more: there is no bug when ISA Server lose the secure channel with the DC, there is no option to turn on or turn off this error. This problem can happen due many circumstances as I explained and demo on my blog about that. The fact is that if the circumstances are still in place, the 5783 can potentially happen in TMG. The old MaxConcurrentAPI registry key is still there in Windows Server 2008 and can be used to tuning authentication performance as you can see in the “Increase the Number of NPS Concurrent Authentications” article.
So what it is our hope to once for all stop dealing with this problem? Well, the main hope is that the companies start to use a Web Browser that supports Kerberos authentication, such as Internet Explorer 7 or higher. This can dramatically decrease the authentication pressure in ISA and in the DC, making this problem go away.