Re: Event ID 676
From: Mark-Allen (mark-allen_at_mvps_dot_org)
Date: Tue, 27 Jul 2004 01:48:10 +0200
maybe this will help.
-- Mark-Allen Perry ALPHA Systems, Switzerland mark-allen AT mvps DOT org "djc" <firstname.lastname@example.org> wrote in message news:OW2Jen0cEHA.email@example.com... thanks for the reply. I think where I am confused is the client address.. I am expecting it to be 'from where' the logon was attempted... like the user's workstation name... but that address is a domain controller? actually I just double-checked and some of these events are from domain controller addresses and some are from client workstations? I am confused. I know the users don't have physical access to the servers so thats out. I suppose terminal services logon attempts could generate this? I'm just not sure how to interprets these security auditing events. "Steven L Umbach" <firstname.lastname@example.org> wrote in message news:3KcNc.161924$a24.85480@attbi_s03... > That would seem to be the case. Failure code 0x12 can be a variety of reasons but not > having the user right for access could certainly be one. Below is a list of items I > found on a MS doc. --- Steve > > 0x12 - KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked > Associated internal Windows error codes > . STATUS_ACCOUNT_DISABLED > > . STATUS_ACCOUNT_EXPIRED > > . STATUS_ACCOUNT_LOCKED_OUT > > . STATUS_ACCOUNT_DISABLED > > . STATUS_INVALID_LOGON_HOURS > > . STATUS_LOGIN_TIME_RESTRICTION > > . STATUS_LOGIN_WKSTA_RESTRICTION > > . STATUS_ACCOUNT_RESTRICTION > > > > > "djc" <email@example.com> wrote in message > news:O18ZKI0cEHA.996@TK2MSFTNGP12.phx.gbl... > > Source: Security > > Category: Account Logon > > Authentication Ticket Request Failed: > > User Name: smithly > > Supplied Realm Name: HELLER.COM > > Service Name: krbtgt/HELLER.COM > > Ticket Options: 0x40810010 > > Failure Code: 0x12 > > Client Address: 10.10.100.100 > > > > according to the info I found on this failure code (12), this event is > > because of a time of day or workstation restriction. This would seem to make > > sense because the client address listed is a server that this user would not > > have the log on locally user right assigned for. > > > > Is this correct, this is telling me that smithly has attemped to logon to > > 10.10.100.100? > > > > > >