Security Event Logs

[Chris Perry]

When a user attempts to log on to the network with an
invalid user ID or password it gets logged as event ID
529 (invalid user ID or password) in the local event
logs, but it gets logged as event ID 675 (Pre-
authintication Failed) on the authenticating server and
on the root DC. Does anyone know why? Or better yet,
does anyone know how to get the event logs on the servers
to show the event as a 529? Any info would be usefull,

Chris

 

[Opti_mystic]

Chris,

PreAuthentication is the Windows 2000 Kerberos KDC
checking that the user's account is "Present", not "Locked
Out", and has "Access This Computer" rights to use the
Kerberos KDC, which is running on your Windows 2000 DC.
This means that the user never did get a chance to try to
log on to the DC, because the PreAuth prevents anyone from
attempting to logon unless they have a valid, active
account with logon rights. This PreAuth can be turned off,
but I recommend that you leave it on. This is a security
measure to prevent Brute Force password attacks against a
known user account in the Windows 2000 DC. I believe that
the errors you are receiving in the Event Viewers are
accurate and correct. Hope this helps.

Optimystic

 

[Chris Perry]

Does that mean that you would get the PreAuthentication
failure when an incorrect password is used on a
valid/active account? Do you have to check the logs of
every workstation to see wehen an invalid password was
used or an account got locked out?

Chris