Re: Event ID 676

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 07/27/04


Date: Tue, 27 Jul 2004 01:25:01 GMT

If you enable logon events for failure on your Domain Controller Security Policy it
may give you more useable information including logon type. Logon type 2 would be
console or TS while logon 3 would be network attempt to access a share. --- Steve

http://www.microsoft.com/resources/documentation/WindowsServ/2003/datacenter/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/datacenter/proddocs/en-us/518.asp
-- almost all applies to W2K also.

"djc" <noone@nowhere.com> wrote in message
news:OW2Jen0cEHA.2812@tk2msftngp13.phx.gbl...
> thanks for the reply. I think where I am confused is the client address.. I
> am expecting it to be 'from where' the logon was attempted... like the
> user's workstation name... but that address is a domain controller? actually
> I just double-checked and some of these events are from domain controller
> addresses and some are from client workstations? I am confused. I know the
> users don't have physical access to the servers so thats out. I suppose
> terminal services logon attempts could generate this? I'm just not sure how
> to interprets these security auditing events.
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:3KcNc.161924$a24.85480@attbi_s03...
> > That would seem to be the case. Failure code 0x12 can be a variety of
> reasons but not
> > having the user right for access could certainly be one. Below is a list
> of items I
> > found on a MS doc. --- Steve
> >
> > 0x12 - KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked
> > Associated internal Windows error codes
> > . STATUS_ACCOUNT_DISABLED
> >
> > . STATUS_ACCOUNT_EXPIRED
> >
> > . STATUS_ACCOUNT_LOCKED_OUT
> >
> > . STATUS_ACCOUNT_DISABLED
> >
> > . STATUS_INVALID_LOGON_HOURS
> >
> > . STATUS_LOGIN_TIME_RESTRICTION
> >
> > . STATUS_LOGIN_WKSTA_RESTRICTION
> >
> > . STATUS_ACCOUNT_RESTRICTION
> >
> >
> >
> >
> > "djc" <noone@nowhere.com> wrote in message
> > news:O18ZKI0cEHA.996@TK2MSFTNGP12.phx.gbl...
> > > Source: Security
> > > Category: Account Logon
> > > Authentication Ticket Request Failed:
> > > User Name: smithly
> > > Supplied Realm Name: HELLER.COM
> > > Service Name: krbtgt/HELLER.COM
> > > Ticket Options: 0x40810010
> > > Failure Code: 0x12
> > > Client Address: 10.10.100.100
> > >
> > > according to the info I found on this failure code (12), this event is
> > > because of a time of day or workstation restriction. This would seem to
> make
> > > sense because the client address listed is a server that this user would
> not
> > > have the log on locally user right assigned for.
> > >
> > > Is this correct, this is telling me that smithly has attemped to logon
> to
> > > 10.10.100.100?
> > >
> > >
> >
> >
>
>