Repeated 675,681 and 677 error codes in security log

Archived from groups: microsoft.public.win2000.security (More info?)

"Craig Barraclough" <CraigBarraclough@discussions.microsoft.com> wrote in
message newsFACC470-4B43-4FF5-8404-7EC635B0D7CA@microsoft.com...
>I hope some can help as i have search all over for an answer to this.
>
> We have a customer with a 2000 domain in mixed mode with a mixture of
> win98,2000 and xp machines.
>
> I have been monitoring the event logs on their servers, the security logs
> are full of Failure audits with event codes 675 and677. I gather these are
> Kerberos related but i can't work out what the failure codes are for and
> what
> could be causing them.
> The usernames and client addresses are all different, i haven't been able
> to
> pin it down to any specific machines.
>
> A couple of examples are below
>
> Source: Security
> Catergory: Account logon
> Type: Failure
> Event ID: 675
> User: NT AUTHORITY\SYSTEM
> Computer: AAA-Primary
> Pre-authentication failed
> username: ACraig
> userID: BRITISH\ACraig
> Service Name: krbtgt/BRITISH
> Pre-authentication type: 0x2
> Failure code: 0x18
> Client address: 192.168.3.65
>
>
>
> Source: Security
> Catergory: Account logon
> Type: Failure
> Event ID: 675
> User: NT AUTHORITY\SYSTEM
> Computer: AAA-Primary
> Pre-authentication failed
> username: Administrator
> userID: BRITISH\Administrator
> Service Name: krbtgt/BRITISH
> Pre-authentication type: 0x2
> Failure code: 0x18
> Client address: 127.0.0.1
>
>
> Source: Security
> Catergory: Account logon
> Type: Failure
> Event ID: 677
> User: NT AUTHORITY\SYSTEM
> Computer: AAA-Primary
> Serivce Ticket request Failed
> username: ENG02$
> User Domain: BRITISH
> Service Name: krbtgt/BRITISH
> Pre-authentication type: 0x2
> Failure code: 0x20
> Client address: 192.168.1.27
>
>
>
> These events seem to occur at all times of day and night, the client
> address
> are either servers, workstations or even the loopback address.
>
> Anyone any idea what could be causing this?
>
> Cheers
>
> Craig

pre-authentication pretty much means wrong password - 0x18 is
KDC_ERR_PREAUTH_FAILED
the other one is "0x20 - KRB_AP_ERR_TKT_EXPIRED: Ticket expired". Which I
guess means the client requested access to a resource with a ticket which
has since expired. It will then request a new one.

I'd just ignore them both to be honest.

Archived from groups: microsoft.public.win2000.security (More info?)

I have also noticed that a common event, event 627, changing the password of
the TSInternetUser has failed. Ibelieve this should be successful as it is
the system changing it for security reasons.
I wonder if this event is linked to my other problems?

"Craig Barraclough" wrote:

> I don't understand the second of the examples which has the loopback address
> as the client address. If 0x18 is a bad password i don't understand why that
> is logged during the night from the loopback.
>
> "Barry" wrote:
>
> >
> > "Craig Barraclough" <CraigBarraclough@discussions.microsoft.com> wrote in
> > message newsFACC470-4B43-4FF5-8404-7EC635B0D7CA@microsoft.com...
> > >I hope some can help as i have search all over for an answer to this.
> > >
> > > We have a customer with a 2000 domain in mixed mode with a mixture of
> > > win98,2000 and xp machines.
> > >
> > > I have been monitoring the event logs on their servers, the security logs
> > > are full of Failure audits with event codes 675 and677. I gather these are
> > > Kerberos related but i can't work out what the failure codes are for and
> > > what
> > > could be causing them.
> > > The usernames and client addresses are all different, i haven't been able
> > > to
> > > pin it down to any specific machines.
> > >
> > > A couple of examples are below
> > >
> > > Source: Security
> > > Catergory: Account logon
> > > Type: Failure
> > > Event ID: 675
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: AAA-Primary
> > > Pre-authentication failed
> > > username: ACraig
> > > userID: BRITISH\ACraig
> > > Service Name: krbtgt/BRITISH
> > > Pre-authentication type: 0x2
> > > Failure code: 0x18
> > > Client address: 192.168.3.65
> > >
> > >
> > >
> > > Source: Security
> > > Catergory: Account logon
> > > Type: Failure
> > > Event ID: 675
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: AAA-Primary
> > > Pre-authentication failed
> > > username: Administrator
> > > userID: BRITISH\Administrator
> > > Service Name: krbtgt/BRITISH
> > > Pre-authentication type: 0x2
> > > Failure code: 0x18
> > > Client address: 127.0.0.1
> > >
> > >
> > > Source: Security
> > > Catergory: Account logon
> > > Type: Failure
> > > Event ID: 677
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: AAA-Primary
> > > Serivce Ticket request Failed
> > > username: ENG02$
> > > User Domain: BRITISH
> > > Service Name: krbtgt/BRITISH
> > > Pre-authentication type: 0x2
> > > Failure code: 0x20
> > > Client address: 192.168.1.27
> > >
> > >
> > >
> > > These events seem to occur at all times of day and night, the client
> > > address
> > > are either servers, workstations or even the loopback address.
> > >
> > > Anyone any idea what could be causing this?
> > >
> > > Cheers
> > >
> > > Craig
> >
> > pre-authentication pretty much means wrong password - 0x18 is
> > KDC_ERR_PREAUTH_FAILED
> > the other one is "0x20 - KRB_AP_ERR_TKT_EXPIRED: Ticket expired". Which I
> > guess means the client requested access to a resource with a ticket which
> > has since expired. It will then request a new one.
> >
> > I'd just ignore them both to be honest.
> >
> >
> >