Re: Event ID 676

From: Mark-Allen (mark-allen_at_mvps_dot_org)
Date: 07/27/04


Date: Tue, 27 Jul 2004 01:48:10 +0200

Check: http://www.eventid.net/display.asp?eventid=676&source=

maybe this will help.

-- 
Mark-Allen Perry
ALPHA Systems, Switzerland
mark-allen AT mvps DOT org
  "djc" <noone@nowhere.com> wrote in message news:OW2Jen0cEHA.2812@tk2msftngp13.phx.gbl...
  thanks for the reply. I think where I am confused is the client address.. I
  am expecting it to be 'from where' the logon was attempted... like the
  user's workstation name... but that address is a domain controller? actually
  I just double-checked and some of these events are from domain controller
  addresses and some are from client workstations? I am confused. I know the
  users don't have physical access to the servers so thats out. I suppose
  terminal services logon attempts could generate this? I'm just not sure how
  to interprets these security auditing events.
  "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
  news:3KcNc.161924$a24.85480@attbi_s03...
  > That would seem to be the case. Failure code 0x12 can be a variety of
  reasons but not
  > having the user right for access could certainly be one. Below is a list
  of items I
  > found on a MS doc.  --- Steve
  >
  > 0x12 - KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked
  > Associated internal Windows error codes
  >       . STATUS_ACCOUNT_DISABLED
  >
  >       . STATUS_ACCOUNT_EXPIRED
  >
  >       . STATUS_ACCOUNT_LOCKED_OUT
  >
  >       . STATUS_ACCOUNT_DISABLED
  >
  >       . STATUS_INVALID_LOGON_HOURS
  >
  >       . STATUS_LOGIN_TIME_RESTRICTION
  >
  >       . STATUS_LOGIN_WKSTA_RESTRICTION
  >
  >       . STATUS_ACCOUNT_RESTRICTION
  >
  >
  >
  >
  > "djc" <noone@nowhere.com> wrote in message
  > news:O18ZKI0cEHA.996@TK2MSFTNGP12.phx.gbl...
  > > Source: Security
  > > Category: Account Logon
  > > Authentication Ticket Request Failed:
  > >   User Name: smithly
  > >   Supplied Realm Name: HELLER.COM
  > >   Service Name: krbtgt/HELLER.COM
  > >   Ticket Options: 0x40810010
  > >   Failure Code: 0x12
  > >   Client Address: 10.10.100.100
  > >
  > > according to the info I found on this failure code (12), this event is
  > > because of a time of day or workstation restriction. This would seem to
  make
  > > sense because the client address listed is a server that this user would
  not
  > > have the log on locally user right assigned for.
  > >
  > > Is this correct, this is telling me that smithly has attemped to logon
  to
  > > 10.10.100.100?
  > >
  > >
  >
  >