Re: Windows 2003 Pre-authentication failed



Sorry for the slow response. I got pulled away onto other things.

There are no *nix boxes on the network at all. I have read about this issue relating to *nix boxes before.



Regards




Andrew

"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message news:%23aQZJhLjHHA.4520@xxxxxxxxxxxxxxxxxxxxxxx
Are there any UNIX boxes that are attempting to log onto the Domain? Just change the machine account below as if it were a user account (I believe the machine account should have this available).

0x19 - KDC_ERR_PREAUTH_REQUIRED: Additional pre-authentication required
Associated internal Windows error codes
. STATUS_WRONG_PASSWORD


Corresponding debug output messages
. None


Possible Causes and Resolution
. This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB_AS_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way.

Resolution

Set the Do not require Kerberos pre-authentication flag on the user's account. Alternatively, consider upgrading to the most recent MIT reference distribution of Kerberos authentication.



Property Codes

http://support.microsoft.com/kb/305144/en-us





--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Andrew Teece" <enate@xxxxxxxxxxxxx> wrote in message news:e9fTnIziHHA.4976@xxxxxxxxxxxxxxxxxxxxxxx
Thanks Paul, but none of these were of any use. Some seemed close, but on further digging they weren't relevant.


Any other ideas? I'm desperately trying to avoid re-building the box.



Andrew


"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message news:OZ7aOGDiHHA.1624@xxxxxxxxxxxxxxxxxxxxxxx
See if any of these help out.

http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&phase=1

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Andrew Teece" <enate@xxxxxxxxxxxxx> wrote in message news:OcBe3PBiHHA.4952@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the idea Paul, but i've already tried this :-(



Regards



Andrew



"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message news:e$tn$IAiHHA.4772@xxxxxxxxxxxxxxxxxxxxxxx
Dang, don't see anything. Can you try resetting the machine account password?

http://support.microsoft.com/kb/325850/en-us


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Andrew Teece" <enate@xxxxxxxxxxxxx> wrote in message news:e2mgjp4hHHA.4676@xxxxxxxxxxxxxxxxxxxxxxx
If I turn the Kerberos logging off the errors in the system log do go away, but not the errors in the security log.


Regards




Andrew

"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message news:eHOdiU3hHHA.1048@xxxxxxxxxxxxxxxxxxxxxxx
For starters, try turning this off to see if these errors go away.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Andrew Teece" <enate@xxxxxxxxxxxxx> wrote in message news:uYwoWF3hHHA.1244@xxxxxxxxxxxxxxxxxxxxxxx
Yes, I forgot I turned on Kerberos logging while bashing my head against this over the last few weeks.

I am getting 2 EventID3 events in the system event log.

A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 19:18:46.0000 4/25/2007 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: INTERNAL.TEECE.CO.UK
Server Name: host/teeceserver.internal.teece.co.uk
Target Name: host/teeceserver.internal.teece.co.uk@xxxxxxxxxxxxxxxxxxxx
Error Text:
File: 9
Line: ae0
Error Data is in record data.



AND


A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 19:32:48.0000 4/25/2007 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: INTERNAL.TEECE.CO.UK
Server Name: teeceserver.internal.teece.co.uk
Target Name: teeceserver.internal.teece.co.uk@xxxxxxxxxxxxxxxxxxxx
Error Text:
File: 9
Line: ae0
Error Data is in record data.






Regards



Andrew



"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message news:OdteDqzhHHA.4704@xxxxxxxxxxxxxxxxxxxxxxx
Your dcdiag is reporting Kerberos errors, but I am unable to find specifics on Microsoft. Go into the System Event Log and see if you can find any specific Event Id's for the errors listed below.


I believe you are getting an Event Id 3 error.

http://www.eventid.net/display.asp?eventid=3&eventno=3536&source=Kerberos&phase=1

EventId 3 may be being triggered by Kerberos Logging if you have that enabled, but there are other Event errors, that I am unsure of the Event Id.

Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x825A0011
Time Generated: 04/24/2007 21:26:03
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC25A001D
Time Generated: 04/24/2007 21:26:03
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC25A001D
Time Generated: 04/24/2007 21:26:37
(Event String could not be retrieved)
An Error Event occured. EventID: 0x825A0011
Time Generated: 04/24/2007 21:26:41
(Event String could not be retrieved)
An Error Event occured. EventID: 0x80000003
Time Generated: 04/24/2007 21:33:04
Event String: A Kerberos Error Message was received:
on logon session

Client Time:
Server Time: 20:33:4.0000 4/24/2007 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: INTERNAL.TEECE.CO.UK
Server Name:
host/teeceserver.internal.teece.co.uk
Target Name:
host/teeceserver.internal.teece.co.uk@xxxxxxxxxxxxxxxxxxxx
Error Text:
File: 9
Line: ae0

Error Data is in record data.
An Error Event occured. EventID: 0x80000003
Time Generated: 04/24/2007 21:48:05
Event String: A Kerberos Error Message was received:
on logon session

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Andrew Teece" <enate@xxxxxxxxxxxxx> wrote in message news:u$q$KmrhHHA.4064@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the help Paul

I have already run and looked into numerous articles around diagnosing
issues with DCDIAG, all to no avail :-(

Attached are the reports though.

I have also tried resetting the machine password with netdom


Regards



Andrew



"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:O$Q5jVrhHHA.4516@xxxxxxxxxxxxxxxxxxxxxxx
When you have the error try the following and post anything you don't
understand:

Run diagnostics against your Active Directory domain.

If you don't have the tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

**Note: Using the /E switch in dcdiag will run diagnostics against ALL
dc's in the forest. If you have significant numbers of DC's this test
could generate significant detail and take a long time. You also want to
take into account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be
output in notepad text files that pop up automagically.

The script is located in the download section on my website at
http://www.pbbergs.com

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Andrew Teece" <enate@xxxxxxxxxxxxx> wrote in message
news:uTQ79QrhHHA.5008@xxxxxxxxxxxxxxxxxxxxxxx
Hi
I have a domain controller that has ALOT (read 4 times / minute) of
"Failure Audit" entries in the Security log.

The entries are of ID 675, Category Account Logon. The message is

"Pre-authentication failed:"
Failure Code: 0x19


If I demote the server to just be a member server it is fine. But if i
repromote the server the errors return.



Regards




Andrew Teece
Technical Architect


















.