Re: Event ID 676
From: Anubis (anonymous_at_discussions.microsoft.com)
Date: 07/27/04
- Next message: Tom: "IPSec Filtering"
- Previous message: Jakob: "Peer-to-peer port"
- In reply to: djc: "Re: Event ID 676"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 Jul 2004 10:18:23 +0100
Check out the DC that is listed, you should then find the corresponding
event there with the workstation IP address listed. I have also would that
Kerberos ticket error 12 can be caused by users being in too many groups. We
found this problem when trying to access EMC NAS devices.
"djc" <noone@nowhere.com> wrote in message
news:OW2Jen0cEHA.2812@tk2msftngp13.phx.gbl...
> thanks for the reply. I think where I am confused is the client address..
I
> am expecting it to be 'from where' the logon was attempted... like the
> user's workstation name... but that address is a domain controller?
actually
> I just double-checked and some of these events are from domain controller
> addresses and some are from client workstations? I am confused. I know the
> users don't have physical access to the servers so thats out. I suppose
> terminal services logon attempts could generate this? I'm just not sure
how
> to interprets these security auditing events.
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:3KcNc.161924$a24.85480@attbi_s03...
> > That would seem to be the case. Failure code 0x12 can be a variety of
> reasons but not
> > having the user right for access could certainly be one. Below is a list
> of items I
> > found on a MS doc. --- Steve
> >
> > 0x12 - KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked
> > Associated internal Windows error codes
> > . STATUS_ACCOUNT_DISABLED
> >
> > . STATUS_ACCOUNT_EXPIRED
> >
> > . STATUS_ACCOUNT_LOCKED_OUT
> >
> > . STATUS_ACCOUNT_DISABLED
> >
> > . STATUS_INVALID_LOGON_HOURS
> >
> > . STATUS_LOGIN_TIME_RESTRICTION
> >
> > . STATUS_LOGIN_WKSTA_RESTRICTION
> >
> > . STATUS_ACCOUNT_RESTRICTION
> >
> >
> >
> >
> > "djc" <noone@nowhere.com> wrote in message
> > news:O18ZKI0cEHA.996@TK2MSFTNGP12.phx.gbl...
> > > Source: Security
> > > Category: Account Logon
> > > Authentication Ticket Request Failed:
> > > User Name: smithly
> > > Supplied Realm Name: HELLER.COM
> > > Service Name: krbtgt/HELLER.COM
> > > Ticket Options: 0x40810010
> > > Failure Code: 0x12
> > > Client Address: 10.10.100.100
> > >
> > > according to the info I found on this failure code (12), this event is
> > > because of a time of day or workstation restriction. This would seem
to
> make
> > > sense because the client address listed is a server that this user
would
> not
> > > have the log on locally user right assigned for.
> > >
> > > Is this correct, this is telling me that smithly has attemped to logon
> to
> > > 10.10.100.100?
> > >
> > >
> >
> >
>
>
- Next message: Tom: "IPSec Filtering"
- Previous message: Jakob: "Peer-to-peer port"
- In reply to: djc: "Re: Event ID 676"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
