Re: Repeated 675,681 and 677 error codes in security log
From: Craig Barraclough (CraigBarraclough_at_discussions.microsoft.com)
Date: 08/02/05
- Next message: Roger Abell: "Re: Prohibit renaming of folder"
- Previous message: ade: "Re: Default domain permissions"
- In reply to: Barry: "Re: Repeated 675,681 and 677 error codes in security log"
- Next in thread: Craig Barraclough: "Re: Repeated 675,681 and 677 error codes in security log"
- Reply: Craig Barraclough: "Re: Repeated 675,681 and 677 error codes in security log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 2 Aug 2005 04:56:01 -0700
I don't understand the second of the examples which has the loopback address
as the client address. If 0x18 is a bad password i don't understand why that
is logged during the night from the loopback.
"Barry" wrote:
>
> "Craig Barraclough" <CraigBarraclough@discussions.microsoft.com> wrote in
> message news:DFACC470-4B43-4FF5-8404-7EC635B0D7CA@microsoft.com...
> >I hope some can help as i have search all over for an answer to this.
> >
> > We have a customer with a 2000 domain in mixed mode with a mixture of
> > win98,2000 and xp machines.
> >
> > I have been monitoring the event logs on their servers, the security logs
> > are full of Failure audits with event codes 675 and677. I gather these are
> > Kerberos related but i can't work out what the failure codes are for and
> > what
> > could be causing them.
> > The usernames and client addresses are all different, i haven't been able
> > to
> > pin it down to any specific machines.
> >
> > A couple of examples are below
> >
> > Source: Security
> > Catergory: Account logon
> > Type: Failure
> > Event ID: 675
> > User: NT AUTHORITY\SYSTEM
> > Computer: AAA-Primary
> > Pre-authentication failed
> > username: ACraig
> > userID: BRITISH\ACraig
> > Service Name: krbtgt/BRITISH
> > Pre-authentication type: 0x2
> > Failure code: 0x18
> > Client address: 192.168.3.65
> >
> >
> >
> > Source: Security
> > Catergory: Account logon
> > Type: Failure
> > Event ID: 675
> > User: NT AUTHORITY\SYSTEM
> > Computer: AAA-Primary
> > Pre-authentication failed
> > username: Administrator
> > userID: BRITISH\Administrator
> > Service Name: krbtgt/BRITISH
> > Pre-authentication type: 0x2
> > Failure code: 0x18
> > Client address: 127.0.0.1
> >
> >
> > Source: Security
> > Catergory: Account logon
> > Type: Failure
> > Event ID: 677
> > User: NT AUTHORITY\SYSTEM
> > Computer: AAA-Primary
> > Serivce Ticket request Failed
> > username: ENG02$
> > User Domain: BRITISH
> > Service Name: krbtgt/BRITISH
> > Pre-authentication type: 0x2
> > Failure code: 0x20
> > Client address: 192.168.1.27
> >
> >
> >
> > These events seem to occur at all times of day and night, the client
> > address
> > are either servers, workstations or even the loopback address.
> >
> > Anyone any idea what could be causing this?
> >
> > Cheers
> >
> > Craig
>
> pre-authentication pretty much means wrong password - 0x18 is
> KDC_ERR_PREAUTH_FAILED
> the other one is "0x20 - KRB_AP_ERR_TKT_EXPIRED: Ticket expired". Which I
> guess means the client requested access to a resource with a ticket which
> has since expired. It will then request a new one.
>
> I'd just ignore them both to be honest.
>
>
>
- Next message: Roger Abell: "Re: Prohibit renaming of folder"
- Previous message: ade: "Re: Default domain permissions"
- In reply to: Barry: "Re: Repeated 675,681 and 677 error codes in security log"
- Next in thread: Craig Barraclough: "Re: Repeated 675,681 and 677 error codes in security log"
- Reply: Craig Barraclough: "Re: Repeated 675,681 and 677 error codes in security log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
