Re: Windows 2003 Pre-authentication failed
- From: "Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Wed, 2 May 2007 07:49:11 -0500
Are there any UNIX boxes that are attempting to log onto the Domain? Just
change the machine account below as if it were a user account (I believe the
machine account should have this available).
0x19 - KDC_ERR_PREAUTH_REQUIRED: Additional pre-authentication required
Associated internal Windows error codes
. STATUS_WRONG_PASSWORD
Corresponding debug output messages
. None
Possible Causes and Resolution
. This error often occurs in UNIX interoperability scenarios.
MIT-Kerberos clients do not request pre-authentication when they send a
KRB_AS_REQ message. If pre-authentication is required (the default), Windows
systems will send this error. Most MIT-Kerberos clients will respond to this
error by giving the pre-authentication, in which case the error can be
ignored, but some clients might not respond in this way.
Resolution
Set the Do not require Kerberos pre-authentication flag on the user's
account. Alternatively, consider upgrading to the most recent MIT reference
distribution of Kerberos authentication.
Property Codes
http://support.microsoft.com/kb/305144/en-us
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Andrew Teece" <enate@xxxxxxxxxxxxx> wrote in message
news:e9fTnIziHHA.4976@xxxxxxxxxxxxxxxxxxxxxxx
Thanks Paul, but none of these were of any use. Some seemed close, but on
further digging they weren't relevant.
Any other ideas? I'm desperately trying to avoid re-building the box.
Andrew
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:OZ7aOGDiHHA.1624@xxxxxxxxxxxxxxxxxxxxxxx
See if any of these help out.
http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&phase=1
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Andrew Teece" <enate@xxxxxxxxxxxxx> wrote in message
news:OcBe3PBiHHA.4952@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the idea Paul, but i've already tried this :-(
Regards
Andrew
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:e$tn$IAiHHA.4772@xxxxxxxxxxxxxxxxxxxxxxx
Dang, don't see anything. Can you try resetting the machine account
password?
http://support.microsoft.com/kb/325850/en-us
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Andrew Teece" <enate@xxxxxxxxxxxxx> wrote in message
news:e2mgjp4hHHA.4676@xxxxxxxxxxxxxxxxxxxxxxx
If I turn the Kerberos logging off the errors in the system log do go
away, but not the errors in the security log.
Regards
Andrew
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:eHOdiU3hHHA.1048@xxxxxxxxxxxxxxxxxxxxxxx
For starters, try turning this off to see if these errors go away.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Andrew Teece" <enate@xxxxxxxxxxxxx> wrote in message
news:uYwoWF3hHHA.1244@xxxxxxxxxxxxxxxxxxxxxxx
Yes, I forgot I turned on Kerberos logging while bashing my head
against this over the last few weeks.
I am getting 2 EventID3 events in the system event log.
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 19:18:46.0000 4/25/2007 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: INTERNAL.TEECE.CO.UK
Server Name: host/teeceserver.internal.teece.co.uk
Target Name:
host/teeceserver.internal.teece.co.uk@xxxxxxxxxxxxxxxxxxxx
Error Text:
File: 9
Line: ae0
Error Data is in record data.
AND
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 19:32:48.0000 4/25/2007 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: INTERNAL.TEECE.CO.UK
Server Name: teeceserver.internal.teece.co.uk
Target Name: teeceserver.internal.teece.co.uk@xxxxxxxxxxxxxxxxxxxx
Error Text:
File: 9
Line: ae0
Error Data is in record data.
Regards
Andrew
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in
message news:OdteDqzhHHA.4704@xxxxxxxxxxxxxxxxxxxxxxx
Your dcdiag is reporting Kerberos errors, but I am unable to find
specifics on Microsoft. Go into the System Event Log and see if
you can find any specific Event Id's for the errors listed below.
I believe you are getting an Event Id 3 error.
http://www.eventid.net/display.asp?eventid=3&eventno=3536&source=Kerberos&phase=1
EventId 3 may be being triggered by Kerberos Logging if you have
that enabled, but there are other Event errors, that I am unsure of
the Event Id.
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x825A0011
Time Generated: 04/24/2007 21:26:03
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC25A001D
Time Generated: 04/24/2007 21:26:03
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC25A001D
Time Generated: 04/24/2007 21:26:37
(Event String could not be retrieved)
An Error Event occured. EventID: 0x825A0011
Time Generated: 04/24/2007 21:26:41
(Event String could not be retrieved)
An Error Event occured. EventID: 0x80000003
Time Generated: 04/24/2007 21:33:04
Event String: A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 20:33:4.0000 4/24/2007 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: INTERNAL.TEECE.CO.UK
Server Name:
host/teeceserver.internal.teece.co.uk
Target Name:
host/teeceserver.internal.teece.co.uk@xxxxxxxxxxxxxxxxxxxx
Error Text:
File: 9
Line: ae0
Error Data is in record data.
An Error Event occured. EventID: 0x80000003
Time Generated: 04/24/2007 21:48:05
Event String: A Kerberos Error Message was received:
on logon session
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Andrew Teece" <enate@xxxxxxxxxxxxx> wrote in message
news:u$q$KmrhHHA.4064@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the help Paul
I have already run and looked into numerous articles around
diagnosing
issues with DCDIAG, all to no avail :-(
Attached are the reports though.
I have also tried resetting the machine password with netdom
Regards
Andrew
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in
message
news:O$Q5jVrhHHA.4516@xxxxxxxxxxxxxxxxxxxxxxx
When you have the error try the following and post anything you
don't
understand:
Run diagnostics against your Active Directory domain.
If you don't have the tools installed, install them from your
server
install disk.
d:\support\tools\setup.exe
Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite >
c:\repl.txt
**Note: Using the /E switch in dcdiag will run diagnostics
against ALL
dc's in the forest. If you have significant numbers of DC's this
test
could generate significant detail and take a long time. You also
want to
take into account slow links to dc's will also add to the testing
time.
If you download a gui script I wrote it should be simple to set
and run
(DCDiag and NetDiag). It also has the option to run individual
tests
without having to learn all the switch options. The details will
be
output in notepad text files that pop up automagically.
The script is located in the download section on my website at
http://www.pbbergs.com
Just select both dcdiag and netdiag make sure verbose is set.
(Leave the
default settings for dcdiag as set when selected)
When complete search for fail, error and warning messages.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the
NewsGroup
This posting is provided "AS IS" with no warranties, and confers
no
rights.
"Andrew Teece" <enate@xxxxxxxxxxxxx> wrote in message
news:uTQ79QrhHHA.5008@xxxxxxxxxxxxxxxxxxxxxxx
Hi
I have a domain controller that has ALOT (read 4 times /
minute) of
"Failure Audit" entries in the Security log.
The entries are of ID 675, Category Account Logon. The message
is
"Pre-authentication failed:"
Failure Code: 0x19
If I demote the server to just be a member server it is fine.
But if i
repromote the server the errors return.
Regards
Andrew Teece
Technical Architect
.
- Follow-Ups:
- Re: Windows 2003 Pre-authentication failed
- From: Andrew Teece
- Re: Windows 2003 Pre-authentication failed
- Prev by Date: Enable HTTP Connectivity
- Next by Date: Re: Svchost, DCOM, WMI Issues after Updates
- Previous by thread: Enable HTTP Connectivity
- Next by thread: Re: Windows 2003 Pre-authentication failed
- Index(es):
Relevant Pages
|
