Re: Repeated 675,681 and 677 error codes in security log
From: Barry (spamiittyspam_at_spammy.spam)
Date: 08/02/05
- Previous message: RL \(Bob\) Coppedge, MCSE/MCDBA/MCT: "Re: Volunteerism"
- In reply to: Craig Barraclough: "Repeated 675,681 and 677 error codes in security log"
- Next in thread: Craig Barraclough: "Re: Repeated 675,681 and 677 error codes in security log"
- Reply: Craig Barraclough: "Re: Repeated 675,681 and 677 error codes in security log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 2 Aug 2005 08:36:04 +0100
"Craig Barraclough" <CraigBarraclough@discussions.microsoft.com> wrote in
message news:DFACC470-4B43-4FF5-8404-7EC635B0D7CA@microsoft.com...
>I hope some can help as i have search all over for an answer to this.
>
> We have a customer with a 2000 domain in mixed mode with a mixture of
> win98,2000 and xp machines.
>
> I have been monitoring the event logs on their servers, the security logs
> are full of Failure audits with event codes 675 and677. I gather these are
> Kerberos related but i can't work out what the failure codes are for and
> what
> could be causing them.
> The usernames and client addresses are all different, i haven't been able
> to
> pin it down to any specific machines.
>
> A couple of examples are below
>
> Source: Security
> Catergory: Account logon
> Type: Failure
> Event ID: 675
> User: NT AUTHORITY\SYSTEM
> Computer: AAA-Primary
> Pre-authentication failed
> username: ACraig
> userID: BRITISH\ACraig
> Service Name: krbtgt/BRITISH
> Pre-authentication type: 0x2
> Failure code: 0x18
> Client address: 192.168.3.65
>
>
>
> Source: Security
> Catergory: Account logon
> Type: Failure
> Event ID: 675
> User: NT AUTHORITY\SYSTEM
> Computer: AAA-Primary
> Pre-authentication failed
> username: Administrator
> userID: BRITISH\Administrator
> Service Name: krbtgt/BRITISH
> Pre-authentication type: 0x2
> Failure code: 0x18
> Client address: 127.0.0.1
>
>
> Source: Security
> Catergory: Account logon
> Type: Failure
> Event ID: 677
> User: NT AUTHORITY\SYSTEM
> Computer: AAA-Primary
> Serivce Ticket request Failed
> username: ENG02$
> User Domain: BRITISH
> Service Name: krbtgt/BRITISH
> Pre-authentication type: 0x2
> Failure code: 0x20
> Client address: 192.168.1.27
>
>
>
> These events seem to occur at all times of day and night, the client
> address
> are either servers, workstations or even the loopback address.
>
> Anyone any idea what could be causing this?
>
> Cheers
>
> Craig
pre-authentication pretty much means wrong password - 0x18 is
KDC_ERR_PREAUTH_FAILED
the other one is "0x20 - KRB_AP_ERR_TKT_EXPIRED: Ticket expired". Which I
guess means the client requested access to a resource with a ticket which
has since expired. It will then request a new one.
I'd just ignore them both to be honest.
- Previous message: RL \(Bob\) Coppedge, MCSE/MCDBA/MCT: "Re: Volunteerism"
- In reply to: Craig Barraclough: "Repeated 675,681 and 677 error codes in security log"
- Next in thread: Craig Barraclough: "Re: Repeated 675,681 and 677 error codes in security log"
- Reply: Craig Barraclough: "Re: Repeated 675,681 and 677 error codes in security log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
