Pre-authentication errors filling DC security... Expand / Collapse
Author
Message
Posted 6/11/2009 10:39:59 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 6/11/2009 12:02:45 PM
Posts: 4, Visits: 4
Sorry about that Randy.  I should have thought of that.  Anyways, copied the entire posting over as you have instructed.

Thank for the update Randy, but I went ahead and add the successful/failures for Logon/Logoff and Account Login events to the Default Domain Controller Policy and applied the new GPO to member servers.  This seems to be working well and will address the issue at a later time.  In the meantime, not being an expert in Windows Logs like you, I am having some trouble deciphering the logs.  For some reason, I keep getting 675 on the DC's (see below), and do not understand them since these are computer accounts.  Can you explain this to me?

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date:  6/11/2009
Time:  12:01:03 AM
User:  NT AUTHORITY\SYSTEM
Computer: EXCHCLE
Description:
Pre-authentication failed:
  User Name: DPM2K7$
  User ID:  domain\DPM2K7$
  Service Name: krbtgt/FQDN
  Pre-Authentication Type: 0x0
  Failure Code: 0x19
  Client Address: IPAddress


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I seem to be getting a lot of these in the logs, and don't know what or where they are coming from.  I have searched Google but not a lot of information on this other than your article from Windows IT Pro.  HELP!!!

Post #111
Posted 6/27/2009 7:39:42 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
0x19 as the failure code indicates "Additional pre-authentication required" as documented in the my encyclopedia for this event. 

Pre-authentication is an optional feature of Kerberos and not supported by Unix/Linux implementations of Kerberos.  What OS is on the computers generating this error? 

See this article for some additional details. Authentication Fails in a Mixed Windows and UNIX Environment

Post #120
Posted 6/27/2009 7:43:52 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
This also seems to occur in wierd situations with Windows computers.  See http://forums.techarena.in/active-directory/997366.htm 
Post #121
Posted 6/29/2010 4:12:31 PM
Forum Member

Forum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum Member

Group: Forum Members
Last Login: 2/24/2012 7:49:27 PM
Posts: 26, Visits: 12
Randy,

Is it possible just to drop these events altogether, or do you recommend logging them?

Thx,
Jeff
Post #398
Posted 7/8/2010 9:06:50 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
You can't turn off logging of this event for that specific failure code in Windows but if your log management solution allows you to ignore it, then yes you should be safe doing so
Post #407
Posted 7/15/2010 9:42:07 AM
Forum Member

Forum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum Member

Group: Forum Members
Last Login: 2/24/2012 7:49:27 PM
Posts: 26, Visits: 12
Thx for the info Randy

Jeff
Post #416
Posted 8/28/2010 5:03:34 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
welcome
Post #447
Posted 11/4/2011 3:34:59 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/26/2011 12:04:34 PM
Posts: 1, Visits: 0

I am noticing a lot of these erroson my domain controllers that I do not believe can be attributed to a "badpassword".

In this particular case, the eventID675x018 was between 2 of my domain controllers and the user was not logged intoeither one at the time. This event continued to happen every hour on the hour(I was monitoring the event on ADaudit plus). When I asked the user about it,he was just as surprised as I was and said he hadnt been logged on all morning.

Believe me, I would be happy tofilter these events, but my concern is that ignoring these events everyday willaffect my ability to determine when a bruteforce attack is taking place.

I was able to pull the followinglogs from my SEIM:

<13>Nov 04 11:00:0310.10.10.10
AgentDevice=WindowsLog
AgentLogFile=Security
Source=Security
Computer=Domain1
User=SYSTEM
Domain=
EventID=675
EventIDCode=675
EventType=16
EventCategory=9
RecordNumber=1439470605
TimeGenerated=1320422403
TimeWritten=1320422403
Message=Pre-authentication failed:
User Name: jdoe
User ID: %{S-1-5-21-xxxxxx-xxxxxxx-xxxxxx-xxxxxx}
Service Name: krbtgt/Intenet-NET
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 10.90.10.11

 

I also noticed that my SEIM used the description: "The ticket-granting ticket (TGT) was not obtained."

Any ideas on what it could be or howwhat other information I should be looking at to help resolve the issue?

Thanks a lot,

Danny

Post #830
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 1:00pm