Event ID 676

Toggle sidebar Toggle sidebar
D

djc

Distinguished
Jun 16, 2004
75
0
18,630
Archived from groups: microsoft.public.win2000.security (More info?)

Source: Security
Category: Account Logon
Authentication Ticket Request Failed:
User Name: smithly
Supplied Realm Name: HELLER.COM
Service Name: krbtgt/HELLER.COM
Ticket Options: 0x40810010
Failure Code: 0x12
Client Address: 10.10.100.100

according to the info I found on this failure code (12), this event is
because of a time of day or workstation restriction. This would seem to make
sense because the client address listed is a server that this user would not
have the log on locally user right assigned for.

Is this correct, this is telling me that smithly has attemped to logon to
10.10.100.100?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

That would seem to be the case. Failure code 0x12 can be a variety of reasons but not
having the user right for access could certainly be one. Below is a list of items I
found on a MS doc. --- Steve

0x12 - KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked
Associated internal Windows error codes
. STATUS_ACCOUNT_DISABLED

. STATUS_ACCOUNT_EXPIRED

. STATUS_ACCOUNT_LOCKED_OUT

. STATUS_ACCOUNT_DISABLED

. STATUS_INVALID_LOGON_HOURS

. STATUS_LOGIN_TIME_RESTRICTION

. STATUS_LOGIN_WKSTA_RESTRICTION

. STATUS_ACCOUNT_RESTRICTION




"djc" <noone@nowhere.com> wrote in message
news:O18ZKI0cEHA.996@TK2MSFTNGP12.phx.gbl...
> Source: Security
> Category: Account Logon
> Authentication Ticket Request Failed:
> User Name: smithly
> Supplied Realm Name: HELLER.COM
> Service Name: krbtgt/HELLER.COM
> Ticket Options: 0x40810010
> Failure Code: 0x12
> Client Address: 10.10.100.100
>
> according to the info I found on this failure code (12), this event is
> because of a time of day or workstation restriction. This would seem to make
> sense because the client address listed is a server that this user would not
> have the log on locally user right assigned for.
>
> Is this correct, this is telling me that smithly has attemped to logon to
> 10.10.100.100?
>
>
 
D

djc

Distinguished
Jun 16, 2004
75
0
18,630
Archived from groups: microsoft.public.win2000.security (More info?)

thanks for the reply. I think where I am confused is the client address.. I
am expecting it to be 'from where' the logon was attempted... like the
user's workstation name... but that address is a domain controller? actually
I just double-checked and some of these events are from domain controller
addresses and some are from client workstations? I am confused. I know the
users don't have physical access to the servers so thats out. I suppose
terminal services logon attempts could generate this? I'm just not sure how
to interprets these security auditing events.

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:3KcNc.161924$a24.85480@attbi_s03...
> That would seem to be the case. Failure code 0x12 can be a variety of
reasons but not
> having the user right for access could certainly be one. Below is a list
of items I
> found on a MS doc. --- Steve
>
> 0x12 - KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked
> Associated internal Windows error codes
> . STATUS_ACCOUNT_DISABLED
>
> . STATUS_ACCOUNT_EXPIRED
>
> . STATUS_ACCOUNT_LOCKED_OUT
>
> . STATUS_ACCOUNT_DISABLED
>
> . STATUS_INVALID_LOGON_HOURS
>
> . STATUS_LOGIN_TIME_RESTRICTION
>
> . STATUS_LOGIN_WKSTA_RESTRICTION
>
> . STATUS_ACCOUNT_RESTRICTION
>
>
>
>
> "djc" <noone@nowhere.com> wrote in message
> news:O18ZKI0cEHA.996@TK2MSFTNGP12.phx.gbl...
> > Source: Security
> > Category: Account Logon
> > Authentication Ticket Request Failed:
> > User Name: smithly
> > Supplied Realm Name: HELLER.COM
> > Service Name: krbtgt/HELLER.COM
> > Ticket Options: 0x40810010
> > Failure Code: 0x12
> > Client Address: 10.10.100.100
> >
> > according to the info I found on this failure code (12), this event is
> > because of a time of day or workstation restriction. This would seem to
make
> > sense because the client address listed is a server that this user would
not
> > have the log on locally user right assigned for.
> >
> > Is this correct, this is telling me that smithly has attemped to logon
to
> > 10.10.100.100?
> >
> >
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

If you enable logon events for failure on your Domain Controller Security Policy it
may give you more useable information including logon type. Logon type 2 would be
console or TS while logon 3 would be network attempt to access a share. --- Steve

http://www.microsoft.com/resources/documentation/WindowsServ/2003/datacenter/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/datacenter/proddocs/en-us/518.asp
-- almost all applies to W2K also.

"djc" <noone@nowhere.com> wrote in message
news:OW2Jen0cEHA.2812@tk2msftngp13.phx.gbl...
> thanks for the reply. I think where I am confused is the client address.. I
> am expecting it to be 'from where' the logon was attempted... like the
> user's workstation name... but that address is a domain controller? actually
> I just double-checked and some of these events are from domain controller
> addresses and some are from client workstations? I am confused. I know the
> users don't have physical access to the servers so thats out. I suppose
> terminal services logon attempts could generate this? I'm just not sure how
> to interprets these security auditing events.
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:3KcNc.161924$a24.85480@attbi_s03...
> > That would seem to be the case. Failure code 0x12 can be a variety of
> reasons but not
> > having the user right for access could certainly be one. Below is a list
> of items I
> > found on a MS doc. --- Steve
> >
> > 0x12 - KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked
> > Associated internal Windows error codes
> > . STATUS_ACCOUNT_DISABLED
> >
> > . STATUS_ACCOUNT_EXPIRED
> >
> > . STATUS_ACCOUNT_LOCKED_OUT
> >
> > . STATUS_ACCOUNT_DISABLED
> >
> > . STATUS_INVALID_LOGON_HOURS
> >
> > . STATUS_LOGIN_TIME_RESTRICTION
> >
> > . STATUS_LOGIN_WKSTA_RESTRICTION
> >
> > . STATUS_ACCOUNT_RESTRICTION
> >
> >
> >
> >
> > "djc" <noone@nowhere.com> wrote in message
> > news:O18ZKI0cEHA.996@TK2MSFTNGP12.phx.gbl...
> > > Source: Security
> > > Category: Account Logon
> > > Authentication Ticket Request Failed:
> > > User Name: smithly
> > > Supplied Realm Name: HELLER.COM
> > > Service Name: krbtgt/HELLER.COM
> > > Ticket Options: 0x40810010
> > > Failure Code: 0x12
> > > Client Address: 10.10.100.100
> > >
> > > according to the info I found on this failure code (12), this event is
> > > because of a time of day or workstation restriction. This would seem to
> make
> > > sense because the client address listed is a server that this user would
> not
> > > have the log on locally user right assigned for.
> > >
> > > Is this correct, this is telling me that smithly has attemped to logon
> to
> > > 10.10.100.100?
> > >
> > >
> >
> >
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Check out the DC that is listed, you should then find the corresponding
event there with the workstation IP address listed. I have also would that
Kerberos ticket error 12 can be caused by users being in too many groups. We
found this problem when trying to access EMC NAS devices.

"djc" <noone@nowhere.com> wrote in message
news:OW2Jen0cEHA.2812@tk2msftngp13.phx.gbl...
> thanks for the reply. I think where I am confused is the client address..
I
> am expecting it to be 'from where' the logon was attempted... like the
> user's workstation name... but that address is a domain controller?
actually
> I just double-checked and some of these events are from domain controller
> addresses and some are from client workstations? I am confused. I know the
> users don't have physical access to the servers so thats out. I suppose
> terminal services logon attempts could generate this? I'm just not sure
how
> to interprets these security auditing events.
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:3KcNc.161924$a24.85480@attbi_s03...
> > That would seem to be the case. Failure code 0x12 can be a variety of
> reasons but not
> > having the user right for access could certainly be one. Below is a list
> of items I
> > found on a MS doc. --- Steve
> >
> > 0x12 - KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked
> > Associated internal Windows error codes
> > . STATUS_ACCOUNT_DISABLED
> >
> > . STATUS_ACCOUNT_EXPIRED
> >
> > . STATUS_ACCOUNT_LOCKED_OUT
> >
> > . STATUS_ACCOUNT_DISABLED
> >
> > . STATUS_INVALID_LOGON_HOURS
> >
> > . STATUS_LOGIN_TIME_RESTRICTION
> >
> > . STATUS_LOGIN_WKSTA_RESTRICTION
> >
> > . STATUS_ACCOUNT_RESTRICTION
> >
> >
> >
> >
> > "djc" <noone@nowhere.com> wrote in message
> > news:O18ZKI0cEHA.996@TK2MSFTNGP12.phx.gbl...
> > > Source: Security
> > > Category: Account Logon
> > > Authentication Ticket Request Failed:
> > > User Name: smithly
> > > Supplied Realm Name: HELLER.COM
> > > Service Name: krbtgt/HELLER.COM
> > > Ticket Options: 0x40810010
> > > Failure Code: 0x12
> > > Client Address: 10.10.100.100
> > >
> > > according to the info I found on this failure code (12), this event is
> > > because of a time of day or workstation restriction. This would seem
to
> make
> > > sense because the client address listed is a server that this user
would
> not
> > > have the log on locally user right assigned for.
> > >
> > > Is this correct, this is telling me that smithly has attemped to logon
> to
> > > 10.10.100.100?
> > >
> > >
> >
> >
>
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom