Internet access dies after pile-up of EVENT ID 676 (reposted to this forum) any assistance helpful...

From: mealsormissles (nospam_at_thisaddress.corn)
Date: 07/08/03 

Date: Tue, 8 Jul 2003 16:04:32 -0400

Hello all:

Last week, internet connectivity stopped - no email, no www. It stopped
sometime after 6:00am (that's when I received my last automated health
report to my outside address).

The users restarted the server. Access is fine. In the security event log
however, there is a string of:

>>>
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 676
Date: 6/25/2003
Time: 4:01:36 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Authentication Ticket Request Failed:
  User Name: auserinthedomain
  Supplied Realm Name: OURDOMAIN.LOCAL
  Service Name: krbtgt/OURDOMAIN.LOCAL
  Ticket Options: 0x40810010
  Failure Code: 0x17
  Client Address: 127.0.0.1
>>>

There are several hundreds of these messages with the user ALWAYS indicating
the same 'real' user on the domain. The only variable is the client address
which balances out 50/50 between 127.0.0.1 and the IP address of the
external ethernet adapter of my SBS2000 server.
The messages appear in spurts of several messages during any given minute
and then spaced 7-15 minutes apart.
No other messages of note in the security log.

However, there have been multiple all-port scan attacks (perhaps twice as
many usual) reported this week.

One (out 10) user did report that it took her significantly longer than
usual to login this morning.

Since the restart (20 minutes uptime) the internet has worked fine, no user
complaints and only one error message in the security log - a failure Audit,
event 537. ( It's the typical blank Kerberos message only indicated, Logon
Type:3)

Any ideas or suggestions as to what may be happening?
System is an SBS2000 server with ISA. The configuration is dual NIC with the
external attached to a DSL router.

Thanks in advance.

j*

p.s.
I went into User Manager and disabled "auserinthedomain", just in case....
I reposted this message here after two postings to the SBS forum with no
replies.

Relevant Pages

  • Windows 2003 Pre-authentication failed
    ... I have a domain controller that has ALOT of "Failure Audit" entries in the Security log. ... If I demote the server to just be a member server it is fine. ...
    (microsoft.public.windows.server.security)
  • Re: Server Performance Report - Memory in use - showing No data
    ... Please find below the report I received this morning. ... There still isn't any 'Server Specifications' or 'Memory use' data ... click the Backup snap-in in Server Management, ... Critical Errors in Application Log ...
    (microsoft.public.windows.server.sbs)
  • Re: Erroneous E-mails sent entries in Server Usage Report
    ... One of the sbs2k3Sp1 boxes did previously report outgoing messages correctly in the Usage Report. ... I gave up modifying the default recipient policy years ago and now create my own policy on each server before creating users. ... the information "E-mail sent to external recipients" lists *zero* messages being sent by all users other than Administrator. ... Please check the Message Tracking Center. ...
    (microsoft.public.windows.server.sbs)
  • Re: Server Performance Reports broken
    ... I'll try to reinstall R2 and report back on how that goes. ... we cannot remove WSUS from R2 features directly. ... tries to collect WSUS information and WSUS node still appears in Server ... Step 1: Reinstall monitoring component: ...
    (microsoft.public.windows.server.sbs)
  • Re: Server Usage Report
    ... Server firewall to access the Internet. ... Configure ISA Server for monitoring and reporting. ... The SBS Usage report does not pull data from ISA. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)