Repeated 675,681 and 677 error codes in security log

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I hope some can help as i have search all over for an answer to this.

We have a customer with a 2000 domain in mixed mode with a mixture of
win98,2000 and xp machines.

I have been monitoring the event logs on their servers, the security logs
are full of Failure audits with event codes 675 and677. I gather these are
Kerberos related but i can't work out what the failure codes are for and what
could be causing them.
The usernames and client addresses are all different, i haven't been able to
pin it down to any specific machines.

A couple of examples are below

Source: Security
Catergory: Account logon
Type: Failure
Event ID: 675
User: NT AUTHORITY\SYSTEM
Computer: AAA-Primary
Pre-authentication failed
username: ACraig
userID: BRITISH\ACraig
Service Name: krbtgt/BRITISH
Pre-authentication type: 0x2
Failure code: 0x18
Client address: 192.168.3.65



Source: Security
Catergory: Account logon
Type: Failure
Event ID: 675
User: NT AUTHORITY\SYSTEM
Computer: AAA-Primary
Pre-authentication failed
username: Administrator
userID: BRITISH\Administrator
Service Name: krbtgt/BRITISH
Pre-authentication type: 0x2
Failure code: 0x18
Client address: 127.0.0.1


Source: Security
Catergory: Account logon
Type: Failure
Event ID: 677
User: NT AUTHORITY\SYSTEM
Computer: AAA-Primary
Serivce Ticket request Failed
username: ENG02$
User Domain: BRITISH
Service Name: krbtgt/BRITISH
Pre-authentication type: 0x2
Failure code: 0x20
Client address: 192.168.1.27



These events seem to occur at all times of day and night, the client address
are either servers, workstations or even the loopback address.

Anyone any idea what could be causing this?

Cheers

Craig
 
B

Barry

Distinguished
Apr 1, 2004
346
0
18,780
Archived from groups: microsoft.public.win2000.security (More info?)

"Craig Barraclough" <CraigBarraclough@discussions.microsoft.com> wrote in
message news:DFACC470-4B43-4FF5-8404-7EC635B0D7CA@microsoft.com...
>I hope some can help as i have search all over for an answer to this.
>
> We have a customer with a 2000 domain in mixed mode with a mixture of
> win98,2000 and xp machines.
>
> I have been monitoring the event logs on their servers, the security logs
> are full of Failure audits with event codes 675 and677. I gather these are
> Kerberos related but i can't work out what the failure codes are for and
> what
> could be causing them.
> The usernames and client addresses are all different, i haven't been able
> to
> pin it down to any specific machines.
>
> A couple of examples are below
>
> Source: Security
> Catergory: Account logon
> Type: Failure
> Event ID: 675
> User: NT AUTHORITY\SYSTEM
> Computer: AAA-Primary
> Pre-authentication failed
> username: ACraig
> userID: BRITISH\ACraig
> Service Name: krbtgt/BRITISH
> Pre-authentication type: 0x2
> Failure code: 0x18
> Client address: 192.168.3.65
>
>
>
> Source: Security
> Catergory: Account logon
> Type: Failure
> Event ID: 675
> User: NT AUTHORITY\SYSTEM
> Computer: AAA-Primary
> Pre-authentication failed
> username: Administrator
> userID: BRITISH\Administrator
> Service Name: krbtgt/BRITISH
> Pre-authentication type: 0x2
> Failure code: 0x18
> Client address: 127.0.0.1
>
>
> Source: Security
> Catergory: Account logon
> Type: Failure
> Event ID: 677
> User: NT AUTHORITY\SYSTEM
> Computer: AAA-Primary
> Serivce Ticket request Failed
> username: ENG02$
> User Domain: BRITISH
> Service Name: krbtgt/BRITISH
> Pre-authentication type: 0x2
> Failure code: 0x20
> Client address: 192.168.1.27
>
>
>
> These events seem to occur at all times of day and night, the client
> address
> are either servers, workstations or even the loopback address.
>
> Anyone any idea what could be causing this?
>
> Cheers
>
> Craig

pre-authentication pretty much means wrong password - 0x18 is
KDC_ERR_PREAUTH_FAILED
the other one is "0x20 - KRB_AP_ERR_TKT_EXPIRED: Ticket expired". Which I
guess means the client requested access to a resource with a ticket which
has since expired. It will then request a new one.

I'd just ignore them both to be honest.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I don't understand the second of the examples which has the loopback address
as the client address. If 0x18 is a bad password i don't understand why that
is logged during the night from the loopback.

"Barry" wrote:

>
> "Craig Barraclough" <CraigBarraclough@discussions.microsoft.com> wrote in
> message news:DFACC470-4B43-4FF5-8404-7EC635B0D7CA@microsoft.com...
> >I hope some can help as i have search all over for an answer to this.
> >
> > We have a customer with a 2000 domain in mixed mode with a mixture of
> > win98,2000 and xp machines.
> >
> > I have been monitoring the event logs on their servers, the security logs
> > are full of Failure audits with event codes 675 and677. I gather these are
> > Kerberos related but i can't work out what the failure codes are for and
> > what
> > could be causing them.
> > The usernames and client addresses are all different, i haven't been able
> > to
> > pin it down to any specific machines.
> >
> > A couple of examples are below
> >
> > Source: Security
> > Catergory: Account logon
> > Type: Failure
> > Event ID: 675
> > User: NT AUTHORITY\SYSTEM
> > Computer: AAA-Primary
> > Pre-authentication failed
> > username: ACraig
> > userID: BRITISH\ACraig
> > Service Name: krbtgt/BRITISH
> > Pre-authentication type: 0x2
> > Failure code: 0x18
> > Client address: 192.168.3.65
> >
> >
> >
> > Source: Security
> > Catergory: Account logon
> > Type: Failure
> > Event ID: 675
> > User: NT AUTHORITY\SYSTEM
> > Computer: AAA-Primary
> > Pre-authentication failed
> > username: Administrator
> > userID: BRITISH\Administrator
> > Service Name: krbtgt/BRITISH
> > Pre-authentication type: 0x2
> > Failure code: 0x18
> > Client address: 127.0.0.1
> >
> >
> > Source: Security
> > Catergory: Account logon
> > Type: Failure
> > Event ID: 677
> > User: NT AUTHORITY\SYSTEM
> > Computer: AAA-Primary
> > Serivce Ticket request Failed
> > username: ENG02$
> > User Domain: BRITISH
> > Service Name: krbtgt/BRITISH
> > Pre-authentication type: 0x2
> > Failure code: 0x20
> > Client address: 192.168.1.27
> >
> >
> >
> > These events seem to occur at all times of day and night, the client
> > address
> > are either servers, workstations or even the loopback address.
> >
> > Anyone any idea what could be causing this?
> >
> > Cheers
> >
> > Craig
>
> pre-authentication pretty much means wrong password - 0x18 is
> KDC_ERR_PREAUTH_FAILED
> the other one is "0x20 - KRB_AP_ERR_TKT_EXPIRED: Ticket expired". Which I
> guess means the client requested access to a resource with a ticket which
> has since expired. It will then request a new one.
>
> I'd just ignore them both to be honest.
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I have also noticed that a common event, event 627, changing the password of
the TSInternetUser has failed. Ibelieve this should be successful as it is
the system changing it for security reasons.
I wonder if this event is linked to my other problems?

"Craig Barraclough" wrote:

> I don't understand the second of the examples which has the loopback address
> as the client address. If 0x18 is a bad password i don't understand why that
> is logged during the night from the loopback.
>
> "Barry" wrote:
>
> >
> > "Craig Barraclough" <CraigBarraclough@discussions.microsoft.com> wrote in
> > message news:DFACC470-4B43-4FF5-8404-7EC635B0D7CA@microsoft.com...
> > >I hope some can help as i have search all over for an answer to this.
> > >
> > > We have a customer with a 2000 domain in mixed mode with a mixture of
> > > win98,2000 and xp machines.
> > >
> > > I have been monitoring the event logs on their servers, the security logs
> > > are full of Failure audits with event codes 675 and677. I gather these are
> > > Kerberos related but i can't work out what the failure codes are for and
> > > what
> > > could be causing them.
> > > The usernames and client addresses are all different, i haven't been able
> > > to
> > > pin it down to any specific machines.
> > >
> > > A couple of examples are below
> > >
> > > Source: Security
> > > Catergory: Account logon
> > > Type: Failure
> > > Event ID: 675
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: AAA-Primary
> > > Pre-authentication failed
> > > username: ACraig
> > > userID: BRITISH\ACraig
> > > Service Name: krbtgt/BRITISH
> > > Pre-authentication type: 0x2
> > > Failure code: 0x18
> > > Client address: 192.168.3.65
> > >
> > >
> > >
> > > Source: Security
> > > Catergory: Account logon
> > > Type: Failure
> > > Event ID: 675
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: AAA-Primary
> > > Pre-authentication failed
> > > username: Administrator
> > > userID: BRITISH\Administrator
> > > Service Name: krbtgt/BRITISH
> > > Pre-authentication type: 0x2
> > > Failure code: 0x18
> > > Client address: 127.0.0.1
> > >
> > >
> > > Source: Security
> > > Catergory: Account logon
> > > Type: Failure
> > > Event ID: 677
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: AAA-Primary
> > > Serivce Ticket request Failed
> > > username: ENG02$
> > > User Domain: BRITISH
> > > Service Name: krbtgt/BRITISH
> > > Pre-authentication type: 0x2
> > > Failure code: 0x20
> > > Client address: 192.168.1.27
> > >
> > >
> > >
> > > These events seem to occur at all times of day and night, the client
> > > address
> > > are either servers, workstations or even the loopback address.
> > >
> > > Anyone any idea what could be causing this?
> > >
> > > Cheers
> > >
> > > Craig
> >
> > pre-authentication pretty much means wrong password - 0x18 is
> > KDC_ERR_PREAUTH_FAILED
> > the other one is "0x20 - KRB_AP_ERR_TKT_EXPIRED: Ticket expired". Which I
> > guess means the client requested access to a resource with a ticket which
> > has since expired. It will then request a new one.
> >
> > I'd just ignore them both to be honest.
> >
> >
> >
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom