Re: Security Log

From: Steven L Umbach (sumbach_at_N0spam.ameritech.net)
Date: 04/16/04 

Date: Fri, 16 Apr 2004 09:09:20 -0500

These could be caused by NT machines in the domain that can not use kerberos
authentication. The link below explains this under event ID 675 and 677. You
might want to try auditing logon events for failure instead to see if that
reduces the number of failed logons events. --- Steve

http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx

"Sammy Sanders" <ssanders@carolinanetworks.net> wrote in message
news:18f3a01c423b6$624251b0$a001280a@phx.gbl...
> I have set up auditing for failed logon attempts for the
> domain (single forest, single domain).
> The security log keeps filling up with events that seem
> meaningless, defeating the whole purpose of the auditing.
> Can anyone shed any light as to what these event mean, or
> is there a way to stop them from being logged?
> Thenks!
> The events are:
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 677
> Date: 4/16/2004
> Time: 8:22:57 AM
> User: NT AUTHORITY\SYSTEM
> Computer: DC1
> Description:
> Service Ticket Request Failed:
> User Name:
> User Domain:
> Service Name: krbtgt/DOMAIN.LOCAL
> Ticket Options: 0x2
> Failure Code: 0x20
> Client Address: 172.16.220.26
>
> and also
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 675
> Date: 4/16/2004
> Time: 8:19:10 AM
> User: NT AUTHORITY\SYSTEM
> Computer: DC1
> Description:
> Pre-authentication failed:
> User Name: user1
> User ID: DOMAIN\user1
> Service Name: krbtgt/DOMAIN
> Pre-Authentication Type: 0x2
> Failure Code: 0x18
> Client Address: 172.20.190.27
>
>
>

Relevant Pages

  • Re: Help, Ive been hacked
    ... ID: 540 Source: Security ... > Event Type: Failure Audit ... > Event Category: Account Logon ... Your computer was not able to renew its address from the network ...
    (microsoft.public.windowsxp.security_admin)
  • Re: bad password for MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    ... Failure Events Are Logged When the Welcome Screen Is Enabled ... Event Source: Security ... The machine is using a machine local account. ... Logon failure auditing is enabled. ...
    (microsoft.public.windowsxp.security_admin)
  • Event Log Errors
    ... As soon as I retired my previous PDC I started getting errors in my security ... Type: Failure ... An unexpected error occurred during logon ... Authentication Package: Kerbos ...
    (microsoft.public.win2000.general)
  • Re: event id 4306
    ... If you have a DOS attack on your server you would experience ... generate a lot of logon failures in the security log of the domain ... controller assuming auditing of account logon and logon events is enabled. ... events enabled for failure and "account logon" events enabled for success ...
    (microsoft.public.security)
  • Re: Logon Error - Event ID 533
    ... The suggestion regarding security logs should not apply if the overwrite option has been selected and you have the default maximum of 512 kb. ... How to Set Log Size and Overwrite Options ... The user cannot logon and no Profile folder is made, ... screen whether with a domain account or a local account from the ...
    (microsoft.public.windowsxp.help_and_support)