Re: Repeated 675,681 and 677 error codes in security log

From: Craig Barraclough (CraigBarraclough_at_discussions.microsoft.com)
Date: 08/05/05 

Date: Fri, 5 Aug 2005 04:40:06 -0700

I have also noticed that a common event, event 627, changing the password of
the TSInternetUser has failed. Ibelieve this should be successful as it is
the system changing it for security reasons.
I wonder if this event is linked to my other problems?

"Craig Barraclough" wrote:

> I don't understand the second of the examples which has the loopback address
> as the client address. If 0x18 is a bad password i don't understand why that
> is logged during the night from the loopback.
>
> "Barry" wrote:
>
> >
> > "Craig Barraclough" <CraigBarraclough@discussions.microsoft.com> wrote in
> > message news:DFACC470-4B43-4FF5-8404-7EC635B0D7CA@microsoft.com...
> > >I hope some can help as i have search all over for an answer to this.
> > >
> > > We have a customer with a 2000 domain in mixed mode with a mixture of
> > > win98,2000 and xp machines.
> > >
> > > I have been monitoring the event logs on their servers, the security logs
> > > are full of Failure audits with event codes 675 and677. I gather these are
> > > Kerberos related but i can't work out what the failure codes are for and
> > > what
> > > could be causing them.
> > > The usernames and client addresses are all different, i haven't been able
> > > to
> > > pin it down to any specific machines.
> > >
> > > A couple of examples are below
> > >
> > > Source: Security
> > > Catergory: Account logon
> > > Type: Failure
> > > Event ID: 675
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: AAA-Primary
> > > Pre-authentication failed
> > > username: ACraig
> > > userID: BRITISH\ACraig
> > > Service Name: krbtgt/BRITISH
> > > Pre-authentication type: 0x2
> > > Failure code: 0x18
> > > Client address: 192.168.3.65
> > >
> > >
> > >
> > > Source: Security
> > > Catergory: Account logon
> > > Type: Failure
> > > Event ID: 675
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: AAA-Primary
> > > Pre-authentication failed
> > > username: Administrator
> > > userID: BRITISH\Administrator
> > > Service Name: krbtgt/BRITISH
> > > Pre-authentication type: 0x2
> > > Failure code: 0x18
> > > Client address: 127.0.0.1
> > >
> > >
> > > Source: Security
> > > Catergory: Account logon
> > > Type: Failure
> > > Event ID: 677
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: AAA-Primary
> > > Serivce Ticket request Failed
> > > username: ENG02$
> > > User Domain: BRITISH
> > > Service Name: krbtgt/BRITISH
> > > Pre-authentication type: 0x2
> > > Failure code: 0x20
> > > Client address: 192.168.1.27
> > >
> > >
> > >
> > > These events seem to occur at all times of day and night, the client
> > > address
> > > are either servers, workstations or even the loopback address.
> > >
> > > Anyone any idea what could be causing this?
> > >
> > > Cheers
> > >
> > > Craig
> >
> > pre-authentication pretty much means wrong password - 0x18 is
> > KDC_ERR_PREAUTH_FAILED
> > the other one is "0x20 - KRB_AP_ERR_TKT_EXPIRED: Ticket expired". Which I
> > guess means the client requested access to a resource with a ticket which
> > has since expired. It will then request a new one.
> >
> > I'd just ignore them both to be honest.
> >
> >
> >