Repeated 675,681 and 677 error codes in security log

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I hope some can help as i have search all over for an answer to this.

We have a customer with a 2000 domain in mixed mode with a mixture of
win98,2000 and xp machines.

I have been monitoring the event logs on their servers, the security logs
are full of Failure audits with event codes 675 and677. I gather these are
Kerberos related but i can't work out what the failure codes are for and what
could be causing them.
The usernames and client addresses are all different, i haven't been able to
pin it down to any specific machines.

A couple of examples are below

Source: Security
Catergory: Account logon
Type: Failure
Event ID: 675
User: NT AUTHORITY\SYSTEM
Computer: AAA-Primary
Pre-authentication failed
username: ACraig
userID: BRITISH\ACraig
Service Name: krbtgt/BRITISH
Pre-authentication type: 0x2
Failure code: 0x18
Client address: 192.168.3.65



Source: Security
Catergory: Account logon
Type: Failure
Event ID: 675
User: NT AUTHORITY\SYSTEM
Computer: AAA-Primary
Pre-authentication failed
username: Administrator
userID: BRITISH\Administrator
Service Name: krbtgt/BRITISH
Pre-authentication type: 0x2
Failure code: 0x18
Client address: 127.0.0.1


Source: Security
Catergory: Account logon
Type: Failure
Event ID: 677
User: NT AUTHORITY\SYSTEM
Computer: AAA-Primary
Serivce Ticket request Failed
username: ENG02$
User Domain: BRITISH
Service Name: krbtgt/BRITISH
Pre-authentication type: 0x2
Failure code: 0x20
Client address: 192.168.1.27



These events seem to occur at all times of day and night, the client address
are either servers, workstations or even the loopback address.

Anyone any idea what could be causing this?

Cheers

Craig
 
Craig Barraclough said:
I hope some can help as i have search all over for an answer to this.

We have a customer with a 2000 domain in mixed mode with a mixture of
win98,2000 and xp machines.

I have been monitoring the event logs on their servers, the security logs
are full of Failure audits with event codes 675 and677. I gather these are
Kerberos related but i can't work out what the failure codes are for and
what
could be causing them.
The usernames and client addresses are all different, i haven't been able
to
pin it down to any specific machines.

A couple of examples are below

Source: Security
Catergory: Account logon
Type: Failure
Event ID: 675
User: NT AUTHORITY\SYSTEM
Computer: AAA-Primary
Pre-authentication failed
username: ACraig
userID: BRITISH\ACraig
Service Name: krbtgt/BRITISH
Pre-authentication type: 0x2
Failure code: 0x18
Client address: 192.168.3.65



Source: Security
Catergory: Account logon
Type: Failure
Event ID: 675
User: NT AUTHORITY\SYSTEM
Computer: AAA-Primary
Pre-authentication failed
username: Administrator
userID: BRITISH\Administrator
Service Name: krbtgt/BRITISH
Pre-authentication type: 0x2
Failure code: 0x18
Client address: 127.0.0.1


Source: Security
Catergory: Account logon
Type: Failure
Event ID: 677
User: NT AUTHORITY\SYSTEM
Computer: AAA-Primary
Serivce Ticket request Failed
username: ENG02$
User Domain: BRITISH
Service Name: krbtgt/BRITISH
Pre-authentication type: 0x2
Failure code: 0x20
Client address: 192.168.1.27



These events seem to occur at all times of day and night, the client
address
are either servers, workstations or even the loopback address.

Anyone any idea what could be causing this?

Cheers

Craig
Click to expand...

pre-authentication pretty much means wrong password - 0x18 is
KDC_ERR_PREAUTH_FAILED
the other one is "0x20 - KRB_AP_ERR_TKT_EXPIRED: Ticket expired". Which I
guess means the client requested access to a resource with a ticket which
has since expired. It will then request a new one.

I'd just ignore them both to be honest.
 
I don't understand the second of the examples which has the loopback address
as the client address. If 0x18 is a bad password i don't understand why that
is logged during the night from the loopback.
 
I have also noticed that a common event, event 627, changing the password of
the TSInternetUser has failed. Ibelieve this should be successful as it is
the system changing it for security reasons.
I wonder if this event is linked to my other problems?
 
Back
Top