Sign in with
Sign up | Sign in
Your question

Security Log Help

Tags:
  • Security
  • Authentication
  • Event Id
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
April 20, 2005 7:26:03 PM

Archived from groups: microsoft.public.win2000.security (More info?)

As soon as I retired my previous PDC I started getting errors in my security
eventy log & I don't know why. Help!
I followed KB255690 for transferring FSMO roles, KB295419 for transferring
the Global Catalog. My other event logs are clean. It's just the security
log that gets all the errors.

Event ID: 537
Source: Security
Type: Failure
User: NT AUTHORITY\SYSTEM
Category: Logon/Logoff
Reason: An unexpected error occurred during logon
Username:
Domain:
Logon Type: 3
Logon Process: Kerbos
Authentication Package: Kerbos
Workstation Name: -

Event ID: 675
Source: Security
Type: Failure
User: NT AUTHORITY\SYSTEM
Category: Logon/Logoff
Reason: An unexpected error occurred during logon
Username:
Domain:
Logon Type: 3
Logon Process: Kerbos
Authentication Package: Kerbos
Workstation Name: -

Event ID: 675
Source: Security
Type: Failure
User: NT AUTHORITY\SYSTEM
Category: Account Logon
Description: Pre-authentication failed
Username: juser
User ID: DOMAIN\juser
Service Name: krbtgt/DOMAIN
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client address: 10.0.0.127


Event ID: 681
Source: Security
Type: Failure
User: NT AUTHORITY\SYSTEM
Category: Account Logon
Description: The logon to account: supervisor by
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: SERVER2 failed. The
error code was: 3221225578

More about : security log

Anonymous
a b 8 Security
April 20, 2005 9:58:30 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Try running the support tools netdiag and then dcdiag on your domain
controller to see if it reports any pertinent problems that may help in a
solution and verify that your domain controllers have the correct IP
addresses for preferred dns servers in their tcp/ip properties and that the
"old" domain controller IP address is not listed. Generally the pdc fsmo
should point to itself as it's preferred dns server and other domain
controllers for the domain should point to the pdc fsmo first and then
themselves. The old domain controller's IP should also be removed from DHCP
scopes and verified that the correct domain controllers IP addresses are
listed.--- Steve


"Johnse" <Johnse@discussions.microsoft.com> wrote in message
news:135F66D0-80B0-4070-B564-E2F334716710@microsoft.com...
> As soon as I retired my previous PDC I started getting errors in my
> security
> eventy log & I don't know why. Help!
> I followed KB255690 for transferring FSMO roles, KB295419 for transferring
> the Global Catalog. My other event logs are clean. It's just the
> security
> log that gets all the errors.
>
> Event ID: 537
> Source: Security
> Type: Failure
> User: NT AUTHORITY\SYSTEM
> Category: Logon/Logoff
> Reason: An unexpected error occurred during logon
> Username:
> Domain:
> Logon Type: 3
> Logon Process: Kerbos
> Authentication Package: Kerbos
> Workstation Name: -
>
> Event ID: 675
> Source: Security
> Type: Failure
> User: NT AUTHORITY\SYSTEM
> Category: Logon/Logoff
> Reason: An unexpected error occurred during logon
> Username:
> Domain:
> Logon Type: 3
> Logon Process: Kerbos
> Authentication Package: Kerbos
> Workstation Name: -
>
> Event ID: 675
> Source: Security
> Type: Failure
> User: NT AUTHORITY\SYSTEM
> Category: Account Logon
> Description: Pre-authentication failed
> Username: juser
> User ID: DOMAIN\juser
> Service Name: krbtgt/DOMAIN
> Pre-Authentication Type: 0x2
> Failure Code: 0x18
> Client address: 10.0.0.127
>
>
> Event ID: 681
> Source: Security
> Type: Failure
> User: NT AUTHORITY\SYSTEM
> Category: Account Logon
> Description: The logon to account: supervisor by
> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: SERVER2 failed.
> The
> error code was: 3221225578
>
>
>
>
Anonymous
a b 8 Security
April 27, 2005 4:53:39 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I ran netdiag & dcdiag & no errors reported. IP addresses for DNS are all
correct. Should the pdc point only to itself for DNS? Old server is out of
DNS & new servers are listed. I'll set other DNS servers to point to pdc
first & let you know if it fixes. Any other ideas if this doesn't fix the
problem?

"Steven L Umbach" wrote:

> Try running the support tools netdiag and then dcdiag on your domain
> controller to see if it reports any pertinent problems that may help in a
> solution and verify that your domain controllers have the correct IP
> addresses for preferred dns servers in their tcp/ip properties and that the
> "old" domain controller IP address is not listed. Generally the pdc fsmo
> should point to itself as it's preferred dns server and other domain
> controllers for the domain should point to the pdc fsmo first and then
> themselves. The old domain controller's IP should also be removed from DHCP
> scopes and verified that the correct domain controllers IP addresses are
> listed.--- Steve
>
>
> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
> news:135F66D0-80B0-4070-B564-E2F334716710@microsoft.com...
> > As soon as I retired my previous PDC I started getting errors in my
> > security
> > eventy log & I don't know why. Help!
> > I followed KB255690 for transferring FSMO roles, KB295419 for transferring
> > the Global Catalog. My other event logs are clean. It's just the
> > security
> > log that gets all the errors.
> >
> > Event ID: 537
> > Source: Security
> > Type: Failure
> > User: NT AUTHORITY\SYSTEM
> > Category: Logon/Logoff
> > Reason: An unexpected error occurred during logon
> > Username:
> > Domain:
> > Logon Type: 3
> > Logon Process: Kerbos
> > Authentication Package: Kerbos
> > Workstation Name: -
> >
> > Event ID: 675
> > Source: Security
> > Type: Failure
> > User: NT AUTHORITY\SYSTEM
> > Category: Logon/Logoff
> > Reason: An unexpected error occurred during logon
> > Username:
> > Domain:
> > Logon Type: 3
> > Logon Process: Kerbos
> > Authentication Package: Kerbos
> > Workstation Name: -
> >
> > Event ID: 675
> > Source: Security
> > Type: Failure
> > User: NT AUTHORITY\SYSTEM
> > Category: Account Logon
> > Description: Pre-authentication failed
> > Username: juser
> > User ID: DOMAIN\juser
> > Service Name: krbtgt/DOMAIN
> > Pre-Authentication Type: 0x2
> > Failure Code: 0x18
> > Client address: 10.0.0.127
> >
> >
> > Event ID: 681
> > Source: Security
> > Type: Failure
> > User: NT AUTHORITY\SYSTEM
> > Category: Account Logon
> > Description: The logon to account: supervisor by
> > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: SERVER2 failed.
> > The
> > error code was: 3221225578
> >
> >
> >
> >
>
>
>
Related resources
Anonymous
a b 8 Security
April 27, 2005 11:10:58 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If netdiag and dcdiag results look good then it probably is not related to
dns configuration for the domain controller. The link below is a good read
on dns best practices.

http://support.microsoft.com/default.aspx?scid=kb%3Ben-...

If you have downlevel clients in the domain such as NT4.0 or Windows 98 you
may see failed account logon events for kerberos but I don't know why you
would have not seen that before if that is the case. I see user juser,
Client address: 10.0.0.127, and SERVER2 failed referenced in the
logon/account logon failures. The error codes indicate bad password. You
might want to check to see what is going on with those objects. One thing to
try is running netdiag on Client address: 10.0.0.127, and SERVER2 to see
what is reported and check with juser to see if there are any logon
problems. I don't know if you are seeing failures for just certain users or
most everyone. --- Steve

"Johnse" <Johnse@discussions.microsoft.com> wrote in message
news:42FD7605-6D26-49ED-8E16-3D848F81AAC8@microsoft.com...
>I ran netdiag & dcdiag & no errors reported. IP addresses for DNS are all
> correct. Should the pdc point only to itself for DNS? Old server is out
> of
> DNS & new servers are listed. I'll set other DNS servers to point to pdc
> first & let you know if it fixes. Any other ideas if this doesn't fix the
> problem?
>
> "Steven L Umbach" wrote:
>
>> Try running the support tools netdiag and then dcdiag on your domain
>> controller to see if it reports any pertinent problems that may help in a
>> solution and verify that your domain controllers have the correct IP
>> addresses for preferred dns servers in their tcp/ip properties and that
>> the
>> "old" domain controller IP address is not listed. Generally the pdc fsmo
>> should point to itself as it's preferred dns server and other domain
>> controllers for the domain should point to the pdc fsmo first and then
>> themselves. The old domain controller's IP should also be removed from
>> DHCP
>> scopes and verified that the correct domain controllers IP addresses are
>> listed.--- Steve
>>
>>
>> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
>> news:135F66D0-80B0-4070-B564-E2F334716710@microsoft.com...
>> > As soon as I retired my previous PDC I started getting errors in my
>> > security
>> > eventy log & I don't know why. Help!
>> > I followed KB255690 for transferring FSMO roles, KB295419 for
>> > transferring
>> > the Global Catalog. My other event logs are clean. It's just the
>> > security
>> > log that gets all the errors.
>> >
>> > Event ID: 537
>> > Source: Security
>> > Type: Failure
>> > User: NT AUTHORITY\SYSTEM
>> > Category: Logon/Logoff
>> > Reason: An unexpected error occurred during logon
>> > Username:
>> > Domain:
>> > Logon Type: 3
>> > Logon Process: Kerbos
>> > Authentication Package: Kerbos
>> > Workstation Name: -
>> >
>> > Event ID: 675
>> > Source: Security
>> > Type: Failure
>> > User: NT AUTHORITY\SYSTEM
>> > Category: Logon/Logoff
>> > Reason: An unexpected error occurred during logon
>> > Username:
>> > Domain:
>> > Logon Type: 3
>> > Logon Process: Kerbos
>> > Authentication Package: Kerbos
>> > Workstation Name: -
>> >
>> > Event ID: 675
>> > Source: Security
>> > Type: Failure
>> > User: NT AUTHORITY\SYSTEM
>> > Category: Account Logon
>> > Description: Pre-authentication failed
>> > Username: juser
>> > User ID: DOMAIN\juser
>> > Service Name: krbtgt/DOMAIN
>> > Pre-Authentication Type: 0x2
>> > Failure Code: 0x18
>> > Client address: 10.0.0.127
>> >
>> >
>> > Event ID: 681
>> > Source: Security
>> > Type: Failure
>> > User: NT AUTHORITY\SYSTEM
>> > Category: Account Logon
>> > Description: The logon to account: supervisor by
>> > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: SERVER2 failed.
>> > The
>> > error code was: 3221225578
>> >
>> >
>> >
>> >
>>
>>
>>
Anonymous
a b 8 Security
May 2, 2005 10:36:03 AM

Archived from groups: microsoft.public.win2000.security (More info?)

How could the password for juser be bad? They are able to logon on to the
domain, access shared folders on the servers, access their e-mail on the
exchange server and server based programs & databases. Most clients are XP
Pro SP1. A few are at SP2 nad very few are 2000 SP4.

I read the article on dns best practices. The only change I made to comply
was to a second dc. I set it to point to the first dc as primary dns &
itsself as secondary dns.

These error messages are occurring for everyone. I have run netdiag on
10.0.0.127 & server2. No failures reported. Only a warning on 10.0.0.127.
It passed the NetBT name test but had the following:
[WANRING] At least one of the <00> 'Workstation Service', <03> 'Messenger
service', <20> 'WINS' names is missing.
Later in the netdiag report it listed:
NetBT name test . . . passed
[WANRING] You don't have a single interface with the <00> 'Workstation
Service', <03> 'Messenger service', <20> 'WINS' names defined.

No such errors on the server2

"Steven L Umbach" wrote:

> If netdiag and dcdiag results look good then it probably is not related to
> dns configuration for the domain controller. The link below is a good read
> on dns best practices.
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
>
> If you have downlevel clients in the domain such as NT4.0 or Windows 98 you
> may see failed account logon events for kerberos but I don't know why you
> would have not seen that before if that is the case. I see user juser,
> Client address: 10.0.0.127, and SERVER2 failed referenced in the
> logon/account logon failures. The error codes indicate bad password. You
> might want to check to see what is going on with those objects. One thing to
> try is running netdiag on Client address: 10.0.0.127, and SERVER2 to see
> what is reported and check with juser to see if there are any logon
> problems. I don't know if you are seeing failures for just certain users or
> most everyone. --- Steve
>
> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
> news:42FD7605-6D26-49ED-8E16-3D848F81AAC8@microsoft.com...
> >I ran netdiag & dcdiag & no errors reported. IP addresses for DNS are all
> > correct. Should the pdc point only to itself for DNS? Old server is out
> > of
> > DNS & new servers are listed. I'll set other DNS servers to point to pdc
> > first & let you know if it fixes. Any other ideas if this doesn't fix the
> > problem?
> >
> > "Steven L Umbach" wrote:
> >
> >> Try running the support tools netdiag and then dcdiag on your domain
> >> controller to see if it reports any pertinent problems that may help in a
> >> solution and verify that your domain controllers have the correct IP
> >> addresses for preferred dns servers in their tcp/ip properties and that
> >> the
> >> "old" domain controller IP address is not listed. Generally the pdc fsmo
> >> should point to itself as it's preferred dns server and other domain
> >> controllers for the domain should point to the pdc fsmo first and then
> >> themselves. The old domain controller's IP should also be removed from
> >> DHCP
> >> scopes and verified that the correct domain controllers IP addresses are
> >> listed.--- Steve
> >>
> >>
> >> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
> >> news:135F66D0-80B0-4070-B564-E2F334716710@microsoft.com...
> >> > As soon as I retired my previous PDC I started getting errors in my
> >> > security
> >> > eventy log & I don't know why. Help!
> >> > I followed KB255690 for transferring FSMO roles, KB295419 for
> >> > transferring
> >> > the Global Catalog. My other event logs are clean. It's just the
> >> > security
> >> > log that gets all the errors.
> >> >
> >> > Event ID: 537
> >> > Source: Security
> >> > Type: Failure
> >> > User: NT AUTHORITY\SYSTEM
> >> > Category: Logon/Logoff
> >> > Reason: An unexpected error occurred during logon
> >> > Username:
> >> > Domain:
> >> > Logon Type: 3
> >> > Logon Process: Kerbos
> >> > Authentication Package: Kerbos
> >> > Workstation Name: -
> >> >
> >> > Event ID: 675
> >> > Source: Security
> >> > Type: Failure
> >> > User: NT AUTHORITY\SYSTEM
> >> > Category: Logon/Logoff
> >> > Reason: An unexpected error occurred during logon
> >> > Username:
> >> > Domain:
> >> > Logon Type: 3
> >> > Logon Process: Kerbos
> >> > Authentication Package: Kerbos
> >> > Workstation Name: -
> >> >
> >> > Event ID: 675
> >> > Source: Security
> >> > Type: Failure
> >> > User: NT AUTHORITY\SYSTEM
> >> > Category: Account Logon
> >> > Description: Pre-authentication failed
> >> > Username: juser
> >> > User ID: DOMAIN\juser
> >> > Service Name: krbtgt/DOMAIN
> >> > Pre-Authentication Type: 0x2
> >> > Failure Code: 0x18
> >> > Client address: 10.0.0.127
> >> >
> >> >
> >> > Event ID: 681
> >> > Source: Security
> >> > Type: Failure
> >> > User: NT AUTHORITY\SYSTEM
> >> > Category: Account Logon
> >> > Description: The logon to account: supervisor by
> >> > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: SERVER2 failed.
> >> > The
> >> > error code was: 3221225578
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >>
>
>
>
Anonymous
a b 8 Security
May 2, 2005 4:10:23 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I would not worry about those netdiag errors as I see them on occasion and I
doubt would be related to what you are seeing in the security log. Try
running netdiag on the computer that juser is logging on from. Netdiag
includes a kerberos test. It could be that for some reason they are not
being authenticated via kerberos and are falling back to NTLM to be
authenticated which may generate a successful account logon event after the
failed event for the user on the domain controller that authenticated the
user. The first link below may be of interest but I doubt it is related to
your situation. The second link is on troubleshooting kerberos and mostly
applies to Windows 2000 also. --- Steve

http://support.microsoft.com/?kbid=244474
http://www.microsoft.com/technet/prodtechnol/windowsser...


"Johnse" <Johnse@discussions.microsoft.com> wrote in message
news:6E6B6CDF-7A71-4621-82E0-88D0B4D835DC@microsoft.com...
> How could the password for juser be bad? They are able to logon on to the
> domain, access shared folders on the servers, access their e-mail on the
> exchange server and server based programs & databases. Most clients are
> XP
> Pro SP1. A few are at SP2 nad very few are 2000 SP4.
>
> I read the article on dns best practices. The only change I made to
> comply
> was to a second dc. I set it to point to the first dc as primary dns &
> itsself as secondary dns.
>
> These error messages are occurring for everyone. I have run netdiag on
> 10.0.0.127 & server2. No failures reported. Only a warning on 10.0.0.127.
> It passed the NetBT name test but had the following:
> [WANRING] At least one of the <00> 'Workstation Service', <03> 'Messenger
> service', <20> 'WINS' names is missing.
> Later in the netdiag report it listed:
> NetBT name test . . . passed
> [WANRING] You don't have a single interface with the <00> 'Workstation
> Service', <03> 'Messenger service', <20> 'WINS' names defined.
>
> No such errors on the server2
>
> "Steven L Umbach" wrote:
>
>> If netdiag and dcdiag results look good then it probably is not related
>> to
>> dns configuration for the domain controller. The link below is a good
>> read
>> on dns best practices.
>>
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
>>
>> If you have downlevel clients in the domain such as NT4.0 or Windows 98
>> you
>> may see failed account logon events for kerberos but I don't know why you
>> would have not seen that before if that is the case. I see user juser,
>> Client address: 10.0.0.127, and SERVER2 failed referenced in the
>> logon/account logon failures. The error codes indicate bad password. You
>> might want to check to see what is going on with those objects. One thing
>> to
>> try is running netdiag on Client address: 10.0.0.127, and SERVER2 to see
>> what is reported and check with juser to see if there are any logon
>> problems. I don't know if you are seeing failures for just certain users
>> or
>> most everyone. --- Steve
>>
>> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
>> news:42FD7605-6D26-49ED-8E16-3D848F81AAC8@microsoft.com...
>> >I ran netdiag & dcdiag & no errors reported. IP addresses for DNS are
>> >all
>> > correct. Should the pdc point only to itself for DNS? Old server is
>> > out
>> > of
>> > DNS & new servers are listed. I'll set other DNS servers to point to
>> > pdc
>> > first & let you know if it fixes. Any other ideas if this doesn't fix
>> > the
>> > problem?
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Try running the support tools netdiag and then dcdiag on your domain
>> >> controller to see if it reports any pertinent problems that may help
>> >> in a
>> >> solution and verify that your domain controllers have the correct IP
>> >> addresses for preferred dns servers in their tcp/ip properties and
>> >> that
>> >> the
>> >> "old" domain controller IP address is not listed. Generally the pdc
>> >> fsmo
>> >> should point to itself as it's preferred dns server and other domain
>> >> controllers for the domain should point to the pdc fsmo first and then
>> >> themselves. The old domain controller's IP should also be removed
>> >> from
>> >> DHCP
>> >> scopes and verified that the correct domain controllers IP addresses
>> >> are
>> >> listed.--- Steve
>> >>
>> >>
>> >> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
>> >> news:135F66D0-80B0-4070-B564-E2F334716710@microsoft.com...
>> >> > As soon as I retired my previous PDC I started getting errors in my
>> >> > security
>> >> > eventy log & I don't know why. Help!
>> >> > I followed KB255690 for transferring FSMO roles, KB295419 for
>> >> > transferring
>> >> > the Global Catalog. My other event logs are clean. It's just the
>> >> > security
>> >> > log that gets all the errors.
>> >> >
>> >> > Event ID: 537
>> >> > Source: Security
>> >> > Type: Failure
>> >> > User: NT AUTHORITY\SYSTEM
>> >> > Category: Logon/Logoff
>> >> > Reason: An unexpected error occurred during logon
>> >> > Username:
>> >> > Domain:
>> >> > Logon Type: 3
>> >> > Logon Process: Kerbos
>> >> > Authentication Package: Kerbos
>> >> > Workstation Name: -
>> >> >
>> >> > Event ID: 675
>> >> > Source: Security
>> >> > Type: Failure
>> >> > User: NT AUTHORITY\SYSTEM
>> >> > Category: Logon/Logoff
>> >> > Reason: An unexpected error occurred during logon
>> >> > Username:
>> >> > Domain:
>> >> > Logon Type: 3
>> >> > Logon Process: Kerbos
>> >> > Authentication Package: Kerbos
>> >> > Workstation Name: -
>> >> >
>> >> > Event ID: 675
>> >> > Source: Security
>> >> > Type: Failure
>> >> > User: NT AUTHORITY\SYSTEM
>> >> > Category: Account Logon
>> >> > Description: Pre-authentication failed
>> >> > Username: juser
>> >> > User ID: DOMAIN\juser
>> >> > Service Name: krbtgt/DOMAIN
>> >> > Pre-Authentication Type: 0x2
>> >> > Failure Code: 0x18
>> >> > Client address: 10.0.0.127
>> >> >
>> >> >
>> >> > Event ID: 681
>> >> > Source: Security
>> >> > Type: Failure
>> >> > User: NT AUTHORITY\SYSTEM
>> >> > Category: Account Logon
>> >> > Description: The logon to account: supervisor by
>> >> > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: SERVER2
>> >> > failed.
>> >> > The
>> >> > error code was: 3221225578
>> >> >
>> >> >
>> >> >
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>
Anonymous
a b 8 Security
May 5, 2005 9:42:14 AM

Archived from groups: microsoft.public.win2000.security (More info?)

The kerbos test passes on jusers workstation. Any other ideas. This is
driving me crazy.

"Steven L Umbach" wrote:

> I would not worry about those netdiag errors as I see them on occasion and I
> doubt would be related to what you are seeing in the security log. Try
> running netdiag on the computer that juser is logging on from. Netdiag
> includes a kerberos test. It could be that for some reason they are not
> being authenticated via kerberos and are falling back to NTLM to be
> authenticated which may generate a successful account logon event after the
> failed event for the user on the domain controller that authenticated the
> user. The first link below may be of interest but I doubt it is related to
> your situation. The second link is on troubleshooting kerberos and mostly
> applies to Windows 2000 also. --- Steve
>
> http://support.microsoft.com/?kbid=244474
> http://www.microsoft.com/technet/prodtechnol/windowsser...
>
>
> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
> news:6E6B6CDF-7A71-4621-82E0-88D0B4D835DC@microsoft.com...
> > How could the password for juser be bad? They are able to logon on to the
> > domain, access shared folders on the servers, access their e-mail on the
> > exchange server and server based programs & databases. Most clients are
> > XP
> > Pro SP1. A few are at SP2 nad very few are 2000 SP4.
> >
> > I read the article on dns best practices. The only change I made to
> > comply
> > was to a second dc. I set it to point to the first dc as primary dns &
> > itsself as secondary dns.
> >
> > These error messages are occurring for everyone. I have run netdiag on
> > 10.0.0.127 & server2. No failures reported. Only a warning on 10.0.0.127.
> > It passed the NetBT name test but had the following:
> > [WANRING] At least one of the <00> 'Workstation Service', <03> 'Messenger
> > service', <20> 'WINS' names is missing.
> > Later in the netdiag report it listed:
> > NetBT name test . . . passed
> > [WANRING] You don't have a single interface with the <00> 'Workstation
> > Service', <03> 'Messenger service', <20> 'WINS' names defined.
> >
> > No such errors on the server2
> >
> > "Steven L Umbach" wrote:
> >
> >> If netdiag and dcdiag results look good then it probably is not related
> >> to
> >> dns configuration for the domain controller. The link below is a good
> >> read
> >> on dns best practices.
> >>
> >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
> >>
> >> If you have downlevel clients in the domain such as NT4.0 or Windows 98
> >> you
> >> may see failed account logon events for kerberos but I don't know why you
> >> would have not seen that before if that is the case. I see user juser,
> >> Client address: 10.0.0.127, and SERVER2 failed referenced in the
> >> logon/account logon failures. The error codes indicate bad password. You
> >> might want to check to see what is going on with those objects. One thing
> >> to
> >> try is running netdiag on Client address: 10.0.0.127, and SERVER2 to see
> >> what is reported and check with juser to see if there are any logon
> >> problems. I don't know if you are seeing failures for just certain users
> >> or
> >> most everyone. --- Steve
> >>
> >> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
> >> news:42FD7605-6D26-49ED-8E16-3D848F81AAC8@microsoft.com...
> >> >I ran netdiag & dcdiag & no errors reported. IP addresses for DNS are
> >> >all
> >> > correct. Should the pdc point only to itself for DNS? Old server is
> >> > out
> >> > of
> >> > DNS & new servers are listed. I'll set other DNS servers to point to
> >> > pdc
> >> > first & let you know if it fixes. Any other ideas if this doesn't fix
> >> > the
> >> > problem?
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> Try running the support tools netdiag and then dcdiag on your domain
> >> >> controller to see if it reports any pertinent problems that may help
> >> >> in a
> >> >> solution and verify that your domain controllers have the correct IP
> >> >> addresses for preferred dns servers in their tcp/ip properties and
> >> >> that
> >> >> the
> >> >> "old" domain controller IP address is not listed. Generally the pdc
> >> >> fsmo
> >> >> should point to itself as it's preferred dns server and other domain
> >> >> controllers for the domain should point to the pdc fsmo first and then
> >> >> themselves. The old domain controller's IP should also be removed
> >> >> from
> >> >> DHCP
> >> >> scopes and verified that the correct domain controllers IP addresses
> >> >> are
> >> >> listed.--- Steve
> >> >>
> >> >>
> >> >> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
> >> >> news:135F66D0-80B0-4070-B564-E2F334716710@microsoft.com...
> >> >> > As soon as I retired my previous PDC I started getting errors in my
> >> >> > security
> >> >> > eventy log & I don't know why. Help!
> >> >> > I followed KB255690 for transferring FSMO roles, KB295419 for
> >> >> > transferring
> >> >> > the Global Catalog. My other event logs are clean. It's just the
> >> >> > security
> >> >> > log that gets all the errors.
> >> >> >
> >> >> > Event ID: 537
> >> >> > Source: Security
> >> >> > Type: Failure
> >> >> > User: NT AUTHORITY\SYSTEM
> >> >> > Category: Logon/Logoff
> >> >> > Reason: An unexpected error occurred during logon
> >> >> > Username:
> >> >> > Domain:
> >> >> > Logon Type: 3
> >> >> > Logon Process: Kerbos
> >> >> > Authentication Package: Kerbos
> >> >> > Workstation Name: -
> >> >> >
> >> >> > Event ID: 675
> >> >> > Source: Security
> >> >> > Type: Failure
> >> >> > User: NT AUTHORITY\SYSTEM
> >> >> > Category: Logon/Logoff
> >> >> > Reason: An unexpected error occurred during logon
> >> >> > Username:
> >> >> > Domain:
> >> >> > Logon Type: 3
> >> >> > Logon Process: Kerbos
> >> >> > Authentication Package: Kerbos
> >> >> > Workstation Name: -
> >> >> >
> >> >> > Event ID: 675
> >> >> > Source: Security
> >> >> > Type: Failure
> >> >> > User: NT AUTHORITY\SYSTEM
> >> >> > Category: Account Logon
> >> >> > Description: Pre-authentication failed
> >> >> > Username: juser
> >> >> > User ID: DOMAIN\juser
> >> >> > Service Name: krbtgt/DOMAIN
> >> >> > Pre-Authentication Type: 0x2
> >> >> > Failure Code: 0x18
> >> >> > Client address: 10.0.0.127
> >> >> >
> >> >> >
> >> >> > Event ID: 681
> >> >> > Source: Security
> >> >> > Type: Failure
> >> >> > User: NT AUTHORITY\SYSTEM
> >> >> > Category: Account Logon
> >> >> > Description: The logon to account: supervisor by
> >> >> > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: SERVER2
> >> >> > failed.
> >> >> > The
> >> >> > error code was: 3221225578
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
Anonymous
a b 8 Security
May 5, 2005 4:41:32 PM

Archived from groups: microsoft.public.win2000.security (More info?)

That is really weird if no problems are being reported anywhere for netdiag
or dcdiag. Since user is not being denied access, fallback to NTLM
authentication must be how the user/computer is being authenticated. The
article on Kerberos troubleshooting may help. You can modify the registry on
the domain controller being used for authentication to enable kerberos
logging which may generate information that may help pinpoint the problem.
The other thing to try is to use netmon to capture authentication traffic to
compare to authentication traffic that is successful for kerberos to compare
the traces to see if anything stands out. You may also want to post in the
server Active Directory newsgroup to see if anyone over there has seen this
happen after a transfer of a pdc fsmo. --- Steve

How to enable Kerberos event logging on a specific computer

1.
Start Registry Editor.

Caution
Incorrectly editing the registry might severely damage your system.
Before making changes to the registry, you should back up any valued data on
the computer.

2.
Add the following registry value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Registry Value: LogLevel

Value Type: REG_DWORD

Value Data: 0x1

3.
If the Parameters subkey does not exist, create it.

Note
Remove this registry value when it is no longer needed so that
performance is not degraded on the computer. Also, you can remove this
registry value to disable Kerberos event logging on a specific computer.

4.
Quit Registry Editor, and then restart the computer.



"Johnse" <Johnse@discussions.microsoft.com> wrote in message
news:24C575C2-3E97-4BC2-A9B6-040A5A7079A1@microsoft.com...
> The kerbos test passes on jusers workstation. Any other ideas. This is
> driving me crazy.
>
> "Steven L Umbach" wrote:
>
>> I would not worry about those netdiag errors as I see them on occasion
>> and I
>> doubt would be related to what you are seeing in the security log. Try
>> running netdiag on the computer that juser is logging on from. Netdiag
>> includes a kerberos test. It could be that for some reason they are not
>> being authenticated via kerberos and are falling back to NTLM to be
>> authenticated which may generate a successful account logon event after
>> the
>> failed event for the user on the domain controller that authenticated the
>> user. The first link below may be of interest but I doubt it is related
>> to
>> your situation. The second link is on troubleshooting kerberos and
>> mostly
>> applies to Windows 2000 also. --- Steve
>>
>> http://support.microsoft.com/?kbid=244474
>> http://www.microsoft.com/technet/prodtechnol/windowsser...
>>
>>
>> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
>> news:6E6B6CDF-7A71-4621-82E0-88D0B4D835DC@microsoft.com...
>> > How could the password for juser be bad? They are able to logon on to
>> > the
>> > domain, access shared folders on the servers, access their e-mail on
>> > the
>> > exchange server and server based programs & databases. Most clients
>> > are
>> > XP
>> > Pro SP1. A few are at SP2 nad very few are 2000 SP4.
>> >
>> > I read the article on dns best practices. The only change I made to
>> > comply
>> > was to a second dc. I set it to point to the first dc as primary dns &
>> > itsself as secondary dns.
>> >
>> > These error messages are occurring for everyone. I have run netdiag on
>> > 10.0.0.127 & server2. No failures reported. Only a warning on
>> > 10.0.0.127.
>> > It passed the NetBT name test but had the following:
>> > [WANRING] At least one of the <00> 'Workstation Service', <03>
>> > 'Messenger
>> > service', <20> 'WINS' names is missing.
>> > Later in the netdiag report it listed:
>> > NetBT name test . . . passed
>> > [WANRING] You don't have a single interface with the <00> 'Workstation
>> > Service', <03> 'Messenger service', <20> 'WINS' names defined.
>> >
>> > No such errors on the server2
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> If netdiag and dcdiag results look good then it probably is not
>> >> related
>> >> to
>> >> dns configuration for the domain controller. The link below is a good
>> >> read
>> >> on dns best practices.
>> >>
>> >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
>> >>
>> >> If you have downlevel clients in the domain such as NT4.0 or Windows
>> >> 98
>> >> you
>> >> may see failed account logon events for kerberos but I don't know why
>> >> you
>> >> would have not seen that before if that is the case. I see user juser,
>> >> Client address: 10.0.0.127, and SERVER2 failed referenced in the
>> >> logon/account logon failures. The error codes indicate bad password.
>> >> You
>> >> might want to check to see what is going on with those objects. One
>> >> thing
>> >> to
>> >> try is running netdiag on Client address: 10.0.0.127, and SERVER2 to
>> >> see
>> >> what is reported and check with juser to see if there are any logon
>> >> problems. I don't know if you are seeing failures for just certain
>> >> users
>> >> or
>> >> most everyone. --- Steve
>> >>
>> >> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
>> >> news:42FD7605-6D26-49ED-8E16-3D848F81AAC8@microsoft.com...
>> >> >I ran netdiag & dcdiag & no errors reported. IP addresses for DNS
>> >> >are
>> >> >all
>> >> > correct. Should the pdc point only to itself for DNS? Old server
>> >> > is
>> >> > out
>> >> > of
>> >> > DNS & new servers are listed. I'll set other DNS servers to point
>> >> > to
>> >> > pdc
>> >> > first & let you know if it fixes. Any other ideas if this doesn't
>> >> > fix
>> >> > the
>> >> > problem?
>> >> >
>> >> > "Steven L Umbach" wrote:
>> >> >
>> >> >> Try running the support tools netdiag and then dcdiag on your
>> >> >> domain
>> >> >> controller to see if it reports any pertinent problems that may
>> >> >> help
>> >> >> in a
>> >> >> solution and verify that your domain controllers have the correct
>> >> >> IP
>> >> >> addresses for preferred dns servers in their tcp/ip properties and
>> >> >> that
>> >> >> the
>> >> >> "old" domain controller IP address is not listed. Generally the pdc
>> >> >> fsmo
>> >> >> should point to itself as it's preferred dns server and other
>> >> >> domain
>> >> >> controllers for the domain should point to the pdc fsmo first and
>> >> >> then
>> >> >> themselves. The old domain controller's IP should also be removed
>> >> >> from
>> >> >> DHCP
>> >> >> scopes and verified that the correct domain controllers IP
>> >> >> addresses
>> >> >> are
>> >> >> listed.--- Steve
>> >> >>
>> >> >>
>> >> >> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
>> >> >> news:135F66D0-80B0-4070-B564-E2F334716710@microsoft.com...
>> >> >> > As soon as I retired my previous PDC I started getting errors in
>> >> >> > my
>> >> >> > security
>> >> >> > eventy log & I don't know why. Help!
>> >> >> > I followed KB255690 for transferring FSMO roles, KB295419 for
>> >> >> > transferring
>> >> >> > the Global Catalog. My other event logs are clean. It's just
>> >> >> > the
>> >> >> > security
>> >> >> > log that gets all the errors.
>> >> >> >
>> >> >> > Event ID: 537
>> >> >> > Source: Security
>> >> >> > Type: Failure
>> >> >> > User: NT AUTHORITY\SYSTEM
>> >> >> > Category: Logon/Logoff
>> >> >> > Reason: An unexpected error occurred during logon
>> >> >> > Username:
>> >> >> > Domain:
>> >> >> > Logon Type: 3
>> >> >> > Logon Process: Kerbos
>> >> >> > Authentication Package: Kerbos
>> >> >> > Workstation Name: -
>> >> >> >
>> >> >> > Event ID: 675
>> >> >> > Source: Security
>> >> >> > Type: Failure
>> >> >> > User: NT AUTHORITY\SYSTEM
>> >> >> > Category: Logon/Logoff
>> >> >> > Reason: An unexpected error occurred during logon
>> >> >> > Username:
>> >> >> > Domain:
>> >> >> > Logon Type: 3
>> >> >> > Logon Process: Kerbos
>> >> >> > Authentication Package: Kerbos
>> >> >> > Workstation Name: -
>> >> >> >
>> >> >> > Event ID: 675
>> >> >> > Source: Security
>> >> >> > Type: Failure
>> >> >> > User: NT AUTHORITY\SYSTEM
>> >> >> > Category: Account Logon
>> >> >> > Description: Pre-authentication failed
>> >> >> > Username: juser
>> >> >> > User ID: DOMAIN\juser
>> >> >> > Service Name: krbtgt/DOMAIN
>> >> >> > Pre-Authentication Type: 0x2
>> >> >> > Failure Code: 0x18
>> >> >> > Client address: 10.0.0.127
>> >> >> >
>> >> >> >
>> >> >> > Event ID: 681
>> >> >> > Source: Security
>> >> >> > Type: Failure
>> >> >> > User: NT AUTHORITY\SYSTEM
>> >> >> > Category: Account Logon
>> >> >> > Description: The logon to account: supervisor by
>> >> >> > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: SERVER2
>> >> >> > failed.
>> >> >> > The
>> >> >> > error code was: 3221225578
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>


begin 666 important.gif
M1TE&.#EA"@`*`)'_````_P``@,# P)F9F2'Y! $```(`+ `````*``H```(=
?E!6G"+D!1%-PB#$9L'A"$('9)P:6`4GFTYR/*Q0`.P``
`
end

begin 666 note.gif
M1TE&.#EA"@`*`+/_`(V,C?__S/_,`/\%!?]=7<# P-/3T\# P(6%A0("`@``
M`````````````````````"'Y! $```4`+ `````*``H`0 0H$,AI#AD@Z)U*
AR1HB)(8'<N,7&EJG;JV P4GZ&@D2(";<>HF@,.B)```[
`
end
Anonymous
a b 8 Security
May 6, 2005 10:41:16 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Could any of this be due to running in mixed mode? Should this be changed to
native mode? We currently have 2 Windows 2000 servers, Windows XP Pro on the
desktop & a few Windows 2000 Pro PC's.

I have discovered something else. I ran a network security scanning
program. It reported: "It is recommended to use NTLM authentication instead
of LM". It then recommended: "Bugtraq ID/URL:
http://support.microsoft.com/support/kb/articles/q147/7..." I have not
made any changed regarding this. Does this have anything to do with my
issue? This article appears to address NT4 not 2000 or XP. I don't find
this type of entry in my registry. Under this are of my registry my
authentication package is msv1_0. My security package is kerbos msv1_0
schannel & notification package is scecli.

I will try your suggestion to enable kerbos logging & let you know what I
find.

Thanks for your assistance.

Brad

"Steven L Umbach" wrote:

> That is really weird if no problems are being reported anywhere for netdiag
> or dcdiag. Since user is not being denied access, fallback to NTLM
> authentication must be how the user/computer is being authenticated. The
> article on Kerberos troubleshooting may help. You can modify the registry on
> the domain controller being used for authentication to enable kerberos
> logging which may generate information that may help pinpoint the problem.
> The other thing to try is to use netmon to capture authentication traffic to
> compare to authentication traffic that is successful for kerberos to compare
> the traces to see if anything stands out. You may also want to post in the
> server Active Directory newsgroup to see if anyone over there has seen this
> happen after a transfer of a pdc fsmo. --- Steve
>
> How to enable Kerberos event logging on a specific computer
>
> 1.
> Start Registry Editor.
>
> Caution
> Incorrectly editing the registry might severely damage your system.
> Before making changes to the registry, you should back up any valued data on
> the computer.
>
> 2.
> Add the following registry value:
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
>
> Registry Value: LogLevel
>
> Value Type: REG_DWORD
>
> Value Data: 0x1
>
> 3.
> If the Parameters subkey does not exist, create it.
>
> Note
> Remove this registry value when it is no longer needed so that
> performance is not degraded on the computer. Also, you can remove this
> registry value to disable Kerberos event logging on a specific computer.
>
> 4.
> Quit Registry Editor, and then restart the computer.
>
>
>
> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
> news:24C575C2-3E97-4BC2-A9B6-040A5A7079A1@microsoft.com...
> > The kerbos test passes on jusers workstation. Any other ideas. This is
> > driving me crazy.
> >
> > "Steven L Umbach" wrote:
> >
> >> I would not worry about those netdiag errors as I see them on occasion
> >> and I
> >> doubt would be related to what you are seeing in the security log. Try
> >> running netdiag on the computer that juser is logging on from. Netdiag
> >> includes a kerberos test. It could be that for some reason they are not
> >> being authenticated via kerberos and are falling back to NTLM to be
> >> authenticated which may generate a successful account logon event after
> >> the
> >> failed event for the user on the domain controller that authenticated the
> >> user. The first link below may be of interest but I doubt it is related
> >> to
> >> your situation. The second link is on troubleshooting kerberos and
> >> mostly
> >> applies to Windows 2000 also. --- Steve
> >>
> >> http://support.microsoft.com/?kbid=244474
> >> http://www.microsoft.com/technet/prodtechnol/windowsser...
> >>
> >>
> >> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
> >> news:6E6B6CDF-7A71-4621-82E0-88D0B4D835DC@microsoft.com...
> >> > How could the password for juser be bad? They are able to logon on to
> >> > the
> >> > domain, access shared folders on the servers, access their e-mail on
> >> > the
> >> > exchange server and server based programs & databases. Most clients
> >> > are
> >> > XP
> >> > Pro SP1. A few are at SP2 nad very few are 2000 SP4.
> >> >
> >> > I read the article on dns best practices. The only change I made to
> >> > comply
> >> > was to a second dc. I set it to point to the first dc as primary dns &
> >> > itsself as secondary dns.
> >> >
> >> > These error messages are occurring for everyone. I have run netdiag on
> >> > 10.0.0.127 & server2. No failures reported. Only a warning on
> >> > 10.0.0.127.
> >> > It passed the NetBT name test but had the following:
> >> > [WANRING] At least one of the <00> 'Workstation Service', <03>
> >> > 'Messenger
> >> > service', <20> 'WINS' names is missing.
> >> > Later in the netdiag report it listed:
> >> > NetBT name test . . . passed
> >> > [WANRING] You don't have a single interface with the <00> 'Workstation
> >> > Service', <03> 'Messenger service', <20> 'WINS' names defined.
> >> >
> >> > No such errors on the server2
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> If netdiag and dcdiag results look good then it probably is not
> >> >> related
> >> >> to
> >> >> dns configuration for the domain controller. The link below is a good
> >> >> read
> >> >> on dns best practices.
> >> >>
> >> >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
> >> >>
> >> >> If you have downlevel clients in the domain such as NT4.0 or Windows
> >> >> 98
> >> >> you
> >> >> may see failed account logon events for kerberos but I don't know why
> >> >> you
> >> >> would have not seen that before if that is the case. I see user juser,
> >> >> Client address: 10.0.0.127, and SERVER2 failed referenced in the
> >> >> logon/account logon failures. The error codes indicate bad password.
> >> >> You
> >> >> might want to check to see what is going on with those objects. One
> >> >> thing
> >> >> to
> >> >> try is running netdiag on Client address: 10.0.0.127, and SERVER2 to
> >> >> see
> >> >> what is reported and check with juser to see if there are any logon
> >> >> problems. I don't know if you are seeing failures for just certain
> >> >> users
> >> >> or
> >> >> most everyone. --- Steve
> >> >>
> >> >> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
> >> >> news:42FD7605-6D26-49ED-8E16-3D848F81AAC8@microsoft.com...
> >> >> >I ran netdiag & dcdiag & no errors reported. IP addresses for DNS
> >> >> >are
> >> >> >all
> >> >> > correct. Should the pdc point only to itself for DNS? Old server
> >> >> > is
> >> >> > out
> >> >> > of
> >> >> > DNS & new servers are listed. I'll set other DNS servers to point
> >> >> > to
> >> >> > pdc
> >> >> > first & let you know if it fixes. Any other ideas if this doesn't
> >> >> > fix
> >> >> > the
> >> >> > problem?
> >> >> >
> >> >> > "Steven L Umbach" wrote:
> >> >> >
> >> >> >> Try running the support tools netdiag and then dcdiag on your
> >> >> >> domain
> >> >> >> controller to see if it reports any pertinent problems that may
> >> >> >> help
> >> >> >> in a
> >> >> >> solution and verify that your domain controllers have the correct
> >> >> >> IP
> >> >> >> addresses for preferred dns servers in their tcp/ip properties and
> >> >> >> that
> >> >> >> the
> >> >> >> "old" domain controller IP address is not listed. Generally the pdc
> >> >> >> fsmo
> >> >> >> should point to itself as it's preferred dns server and other
> >> >> >> domain
> >> >> >> controllers for the domain should point to the pdc fsmo first and
> >> >> >> then
> >> >> >> themselves. The old domain controller's IP should also be removed
> >> >> >> from
> >> >> >> DHCP
> >> >> >> scopes and verified that the correct domain controllers IP
> >> >> >> addresses
> >> >> >> are
> >> >> >> listed.--- Steve
> >> >> >>
> >> >> >>
> >> >> >> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
> >> >> >> news:135F66D0-80B0-4070-B564-E2F334716710@microsoft.com...
> >> >> >> > As soon as I retired my previous PDC I started getting errors in
> >> >> >> > my
> >> >> >> > security
> >> >> >> > eventy log & I don't know why. Help!
> >> >> >> > I followed KB255690 for transferring FSMO roles, KB295419 for
> >> >> >> > transferring
> >> >> >> > the Global Catalog. My other event logs are clean. It's just
> >> >> >> > the
> >> >> >> > security
> >> >> >> > log that gets all the errors.
> >> >> >> >
> >> >> >> > Event ID: 537
> >> >> >> > Source: Security
> >> >> >> > Type: Failure
> >> >> >> > User: NT AUTHORITY\SYSTEM
> >> >> >> > Category: Logon/Logoff
> >> >> >> > Reason: An unexpected error occurred during logon
> >> >> >> > Username:
> >> >> >> > Domain:
> >> >> >> > Logon Type: 3
> >> >> >> > Logon Process: Kerbos
> >> >> >> > Authentication Package: Kerbos
> >> >> >> > Workstation Name: -
> >> >> >> >
> >> >> >> > Event ID: 675
> >> >> >> > Source: Security
> >> >> >> > Type: Failure
> >> >> >> > User: NT AUTHORITY\SYSTEM
> >> >> >> > Category: Logon/Logoff
> >> >> >> > Reason: An unexpected error occurred during logon
> >> >> >> > Username:
> >> >> >> > Domain:
> >> >> >> > Logon Type: 3
> >> >> >> > Logon Process: Kerbos
> >> >> >> > Authentication Package: Kerbos
> >> >> >> > Workstation Name: -
> >> >> >> >
> >> >> >> > Event ID: 675
> >> >> >> > Source: Security
> >> >> >> > Type: Failure
> >> >> >> > User: NT AUTHORITY\SYSTEM
> >> >> >> > Category: Account Logon
> >> >> >> > Description: Pre-authentication failed
> >> >> >> > Username: juser
> >> >> >> > User ID: DOMAIN\juser
> >> >> >> > Service Name: krbtgt/DOMAIN
> >> >> >> > Pre-Authentication Type: 0x2
> >> >> >> > Failure Code: 0x18
> >> >> >> > Client address: 10.0.0.127
> >> >> >> >
> >> >> >> >
> >> >> >> > Event ID: 681
> >> >> >> > Source: Security
> >> >> >> > Type: Failure
> >> >> >> > User: NT AUTHORITY\SYSTEM
> >> >> >> > Category: Account Logon
> >> >> >> > Description: The logon to account: supervisor by
> >> >> >> > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: SERVER2
> >> >> >> > failed.
> >> >> >> > The
> >> >> >> > error code was: 3221225578
> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
Anonymous
a b 8 Security
May 6, 2005 1:36:16 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Running in mixed mode should not matter as kerberos would still be the
default authentication method for XP Pro/W2000 computers. As far as "It is
recommended to use NTLM authentication instead of LM" , while that is true
that should not be preventing your computers from using kerberos. There is a
security option called lan manager authentication level that can be used to
disable lm use in the domain to make sure it is not used and you can disable
storage of lm hashes. This is wise to do if there are no W9X computers that
are in the domain or need to access domain resources. The usual reasons for
situations why kerberos is not used by a kerberos capable domain computer is
if there is a time skew greater than five minutes compared to the domain
controller, that a resource is being referred to by an IP address instead of
a fully qualified domain name, or there is a problem with UDP for using
kerberos which is fairly unusual. --- Steve

"Johnse" <Johnse@discussions.microsoft.com> wrote in message
news:4A4D687B-9CC0-49E6-85AE-F5292DB1961C@microsoft.com...
> Could any of this be due to running in mixed mode? Should this be changed
> to
> native mode? We currently have 2 Windows 2000 servers, Windows XP Pro on
> the
> desktop & a few Windows 2000 Pro PC's.
>
> I have discovered something else. I ran a network security scanning
> program. It reported: "It is recommended to use NTLM authentication
> instead
> of LM". It then recommended: "Bugtraq ID/URL:
> http://support.microsoft.com/support/kb/articles/q147/7..." I have
> not
> made any changed regarding this. Does this have anything to do with my
> issue? This article appears to address NT4 not 2000 or XP. I don't find
> this type of entry in my registry. Under this are of my registry my
> authentication package is msv1_0. My security package is kerbos msv1_0
> schannel & notification package is scecli.
>
> I will try your suggestion to enable kerbos logging & let you know what I
> find.
>
> Thanks for your assistance.
>
> Brad
>
> "Steven L Umbach" wrote:
>
>> That is really weird if no problems are being reported anywhere for
>> netdiag
>> or dcdiag. Since user is not being denied access, fallback to NTLM
>> authentication must be how the user/computer is being authenticated. The
>> article on Kerberos troubleshooting may help. You can modify the registry
>> on
>> the domain controller being used for authentication to enable kerberos
>> logging which may generate information that may help pinpoint the
>> problem.
>> The other thing to try is to use netmon to capture authentication traffic
>> to
>> compare to authentication traffic that is successful for kerberos to
>> compare
>> the traces to see if anything stands out. You may also want to post in
>> the
>> server Active Directory newsgroup to see if anyone over there has seen
>> this
>> happen after a transfer of a pdc fsmo. --- Steve
>>
>> How to enable Kerberos event logging on a specific computer
>>
>> 1.
>> Start Registry Editor.
>>
>> Caution
>> Incorrectly editing the registry might severely damage your system.
>> Before making changes to the registry, you should back up any valued data
>> on
>> the computer.
>>
>> 2.
>> Add the following registry value:
>>
>>
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
>>
>> Registry Value: LogLevel
>>
>> Value Type: REG_DWORD
>>
>> Value Data: 0x1
>>
>> 3.
>> If the Parameters subkey does not exist, create it.
>>
>> Note
>> Remove this registry value when it is no longer needed so that
>> performance is not degraded on the computer. Also, you can remove this
>> registry value to disable Kerberos event logging on a specific computer.
>>
>> 4.
>> Quit Registry Editor, and then restart the computer.
>>
>>
>>
>> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
>> news:24C575C2-3E97-4BC2-A9B6-040A5A7079A1@microsoft.com...
>> > The kerbos test passes on jusers workstation. Any other ideas. This is
>> > driving me crazy.
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> I would not worry about those netdiag errors as I see them on occasion
>> >> and I
>> >> doubt would be related to what you are seeing in the security log. Try
>> >> running netdiag on the computer that juser is logging on from. Netdiag
>> >> includes a kerberos test. It could be that for some reason they are
>> >> not
>> >> being authenticated via kerberos and are falling back to NTLM to be
>> >> authenticated which may generate a successful account logon event
>> >> after
>> >> the
>> >> failed event for the user on the domain controller that authenticated
>> >> the
>> >> user. The first link below may be of interest but I doubt it is
>> >> related
>> >> to
>> >> your situation. The second link is on troubleshooting kerberos and
>> >> mostly
>> >> applies to Windows 2000 also. --- Steve
>> >>
>> >> http://support.microsoft.com/?kbid=244474
>> >> http://www.microsoft.com/technet/prodtechnol/windowsser...
>> >>
>> >>
>> >> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
>> >> news:6E6B6CDF-7A71-4621-82E0-88D0B4D835DC@microsoft.com...
>> >> > How could the password for juser be bad? They are able to logon on
>> >> > to
>> >> > the
>> >> > domain, access shared folders on the servers, access their e-mail on
>> >> > the
>> >> > exchange server and server based programs & databases. Most clients
>> >> > are
>> >> > XP
>> >> > Pro SP1. A few are at SP2 nad very few are 2000 SP4.
>> >> >
>> >> > I read the article on dns best practices. The only change I made to
>> >> > comply
>> >> > was to a second dc. I set it to point to the first dc as primary
>> >> > dns &
>> >> > itsself as secondary dns.
>> >> >
>> >> > These error messages are occurring for everyone. I have run netdiag
>> >> > on
>> >> > 10.0.0.127 & server2. No failures reported. Only a warning on
>> >> > 10.0.0.127.
>> >> > It passed the NetBT name test but had the following:
>> >> > [WANRING] At least one of the <00> 'Workstation Service', <03>
>> >> > 'Messenger
>> >> > service', <20> 'WINS' names is missing.
>> >> > Later in the netdiag report it listed:
>> >> > NetBT name test . . . passed
>> >> > [WANRING] You don't have a single interface with the <00>
>> >> > 'Workstation
>> >> > Service', <03> 'Messenger service', <20> 'WINS' names defined.
>> >> >
>> >> > No such errors on the server2
>> >> >
>> >> > "Steven L Umbach" wrote:
>> >> >
>> >> >> If netdiag and dcdiag results look good then it probably is not
>> >> >> related
>> >> >> to
>> >> >> dns configuration for the domain controller. The link below is a
>> >> >> good
>> >> >> read
>> >> >> on dns best practices.
>> >> >>
>> >> >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
>> >> >>
>> >> >> If you have downlevel clients in the domain such as NT4.0 or
>> >> >> Windows
>> >> >> 98
>> >> >> you
>> >> >> may see failed account logon events for kerberos but I don't know
>> >> >> why
>> >> >> you
>> >> >> would have not seen that before if that is the case. I see user
>> >> >> juser,
>> >> >> Client address: 10.0.0.127, and SERVER2 failed referenced in the
>> >> >> logon/account logon failures. The error codes indicate bad
>> >> >> password.
>> >> >> You
>> >> >> might want to check to see what is going on with those objects. One
>> >> >> thing
>> >> >> to
>> >> >> try is running netdiag on Client address: 10.0.0.127, and SERVER2
>> >> >> to
>> >> >> see
>> >> >> what is reported and check with juser to see if there are any logon
>> >> >> problems. I don't know if you are seeing failures for just certain
>> >> >> users
>> >> >> or
>> >> >> most everyone. --- Steve
>> >> >>
>> >> >> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
>> >> >> news:42FD7605-6D26-49ED-8E16-3D848F81AAC8@microsoft.com...
>> >> >> >I ran netdiag & dcdiag & no errors reported. IP addresses for DNS
>> >> >> >are
>> >> >> >all
>> >> >> > correct. Should the pdc point only to itself for DNS? Old
>> >> >> > server
>> >> >> > is
>> >> >> > out
>> >> >> > of
>> >> >> > DNS & new servers are listed. I'll set other DNS servers to
>> >> >> > point
>> >> >> > to
>> >> >> > pdc
>> >> >> > first & let you know if it fixes. Any other ideas if this
>> >> >> > doesn't
>> >> >> > fix
>> >> >> > the
>> >> >> > problem?
>> >> >> >
>> >> >> > "Steven L Umbach" wrote:
>> >> >> >
>> >> >> >> Try running the support tools netdiag and then dcdiag on your
>> >> >> >> domain
>> >> >> >> controller to see if it reports any pertinent problems that may
>> >> >> >> help
>> >> >> >> in a
>> >> >> >> solution and verify that your domain controllers have the
>> >> >> >> correct
>> >> >> >> IP
>> >> >> >> addresses for preferred dns servers in their tcp/ip properties
>> >> >> >> and
>> >> >> >> that
>> >> >> >> the
>> >> >> >> "old" domain controller IP address is not listed. Generally the
>> >> >> >> pdc
>> >> >> >> fsmo
>> >> >> >> should point to itself as it's preferred dns server and other
>> >> >> >> domain
>> >> >> >> controllers for the domain should point to the pdc fsmo first
>> >> >> >> and
>> >> >> >> then
>> >> >> >> themselves. The old domain controller's IP should also be
>> >> >> >> removed
>> >> >> >> from
>> >> >> >> DHCP
>> >> >> >> scopes and verified that the correct domain controllers IP
>> >> >> >> addresses
>> >> >> >> are
>> >> >> >> listed.--- Steve
>> >> >> >>
>> >> >> >>
>> >> >> >> "Johnse" <Johnse@discussions.microsoft.com> wrote in message
>> >> >> >> news:135F66D0-80B0-4070-B564-E2F334716710@microsoft.com...
>> >> >> >> > As soon as I retired my previous PDC I started getting errors
>> >> >> >> > in
>> >> >> >> > my
>> >> >> >> > security
>> >> >> >> > eventy log & I don't know why. Help!
>> >> >> >> > I followed KB255690 for transferring FSMO roles, KB295419 for
>> >> >> >> > transferring
>> >> >> >> > the Global Catalog. My other event logs are clean. It's just
>> >> >> >> > the
>> >> >> >> > security
>> >> >> >> > log that gets all the errors.
>> >> >> >> >
>> >> >> >> > Event ID: 537
>> >> >> >> > Source: Security
>> >> >> >> > Type: Failure
>> >> >> >> > User: NT AUTHORITY\SYSTEM
>> >> >> >> > Category: Logon/Logoff
>> >> >> >> > Reason: An unexpected error occurred during logon
>> >> >> >> > Username:
>> >> >> >> > Domain:
>> >> >> >> > Logon Type: 3
>> >> >> >> > Logon Process: Kerbos
>> >> >> >> > Authentication Package: Kerbos
>> >> >> >> > Workstation Name: -
>> >> >> >> >
>> >> >> >> > Event ID: 675
>> >> >> >> > Source: Security
>> >> >> >> > Type: Failure
>> >> >> >> > User: NT AUTHORITY\SYSTEM
>> >> >> >> > Category: Logon/Logoff
>> >> >> >> > Reason: An unexpected error occurred during logon
>> >> >> >> > Username:
>> >> >> >> > Domain:
>> >> >> >> > Logon Type: 3
>> >> >> >> > Logon Process: Kerbos
>> >> >> >> > Authentication Package: Kerbos
>> >> >> >> > Workstation Name: -
>> >> >> >> >
>> >> >> >> > Event ID: 675
>> >> >> >> > Source: Security
>> >> >> >> > Type: Failure
>> >> >> >> > User: NT AUTHORITY\SYSTEM
>> >> >> >> > Category: Account Logon
>> >> >> >> > Description: Pre-authentication failed
>> >> >> >> > Username: juser
>> >> >> >> > User ID: DOMAIN\juser
>> >> >> >> > Service Name: krbtgt/DOMAIN
>> >> >> >> > Pre-Authentication Type: 0x2
>> >> >> >> > Failure Code: 0x18
>> >> >> >> > Client address: 10.0.0.127
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > Event ID: 681
>> >> >> >> > Source: Security
>> >> >> >> > Type: Failure
>> >> >> >> > User: NT AUTHORITY\SYSTEM
>> >> >> >> > Category: Account Logon
>> >> >> >> > Description: The logon to account: supervisor by
>> >> >> >> > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation:
>> >> >> >> > SERVER2
>> >> >> >> > failed.
>> >> >> >> > The
>> >> >> >> > error code was: 3221225578
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>
!