Re: Event ID 676

From: Mark-Allen (mark-allen_at_mvps_dot_org)
Date: 07/27/04


Date: Tue, 27 Jul 2004 01:48:10 +0200

Check: http://www.eventid.net/display.asp?eventid=676&source=

maybe this will help.

-- 
Mark-Allen Perry
ALPHA Systems, Switzerland
mark-allen AT mvps DOT org
  "djc" <noone@nowhere.com> wrote in message news:OW2Jen0cEHA.2812@tk2msftngp13.phx.gbl...
  thanks for the reply. I think where I am confused is the client address.. I
  am expecting it to be 'from where' the logon was attempted... like the
  user's workstation name... but that address is a domain controller? actually
  I just double-checked and some of these events are from domain controller
  addresses and some are from client workstations? I am confused. I know the
  users don't have physical access to the servers so thats out. I suppose
  terminal services logon attempts could generate this? I'm just not sure how
  to interprets these security auditing events.
  "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
  news:3KcNc.161924$a24.85480@attbi_s03...
  > That would seem to be the case. Failure code 0x12 can be a variety of
  reasons but not
  > having the user right for access could certainly be one. Below is a list
  of items I
  > found on a MS doc.  --- Steve
  >
  > 0x12 - KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked
  > Associated internal Windows error codes
  >       . STATUS_ACCOUNT_DISABLED
  >
  >       . STATUS_ACCOUNT_EXPIRED
  >
  >       . STATUS_ACCOUNT_LOCKED_OUT
  >
  >       . STATUS_ACCOUNT_DISABLED
  >
  >       . STATUS_INVALID_LOGON_HOURS
  >
  >       . STATUS_LOGIN_TIME_RESTRICTION
  >
  >       . STATUS_LOGIN_WKSTA_RESTRICTION
  >
  >       . STATUS_ACCOUNT_RESTRICTION
  >
  >
  >
  >
  > "djc" <noone@nowhere.com> wrote in message
  > news:O18ZKI0cEHA.996@TK2MSFTNGP12.phx.gbl...
  > > Source: Security
  > > Category: Account Logon
  > > Authentication Ticket Request Failed:
  > >   User Name: smithly
  > >   Supplied Realm Name: HELLER.COM
  > >   Service Name: krbtgt/HELLER.COM
  > >   Ticket Options: 0x40810010
  > >   Failure Code: 0x12
  > >   Client Address: 10.10.100.100
  > >
  > > according to the info I found on this failure code (12), this event is
  > > because of a time of day or workstation restriction. This would seem to
  make
  > > sense because the client address listed is a server that this user would
  not
  > > have the log on locally user right assigned for.
  > >
  > > Is this correct, this is telling me that smithly has attemped to logon
  to
  > > 10.10.100.100?
  > >
  > >
  >
  >


Relevant Pages

  • RE: Event ID 529 on cleint workstation
    ... Security Event ID 529 is a failure audit for logon/logoff. ... "logon events" generate the events on domain controllers for domain account ... The Event 529 was caused by the machine account password not being ... I suggest that you re-join the client to ...
    (microsoft.public.windows.server.sbs)
  • Re: Event ID 529 on cleint workstation
    ... "logon events" generate the events on domain controllers for domain account ... The Event 529 was caused by the machine account password not being ... I suggest that you re-join the client to ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: NT4 -> Win2K3 question
    ... "not allow me logon to domain." ... I suspect you still unable to join the ... client into domain, right? ... Get Secure! ...
    (microsoft.public.windows.server.migration)
  • Re: windows client cant start completely...get blank desktop and no icons, start button, task bar, e
    ... Can you access the registry remotely from another workstation or the ... "Logon to the problematic client as a user who can logon to other ... Logon to a working client as the user who encountered the problem. ... not supported in newsgroup support. ...
    (microsoft.public.windows.server.sbs)
  • Re: windows client cant start completely...get blank desktop and no icons, start button, task bar, e
    ... "Logon to the problematic client as a user who can logon to other ... Logon to a working client as the user who encountered the problem. ... please check the following registry keys that define the ... not supported in newsgroup support. ...
    (microsoft.public.windows.server.sbs)