No more events 680 Expand / Collapse
Author
Message
Posted 9/3/2009 4:39:26 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/3/2009 4:21:35 AM
Posts: 3, Visits: 0
Hi,

we have 3 Win2003 DCs in our domain. DC3 was rebooted a few days ago. Since then, there are no events 680 in its security log. When I found this out I rebooted it again, but still no 680s (there are lots of 540s and more). DC1 and DC2 have 680s, although they were not rebooted.
After reading some of your works I suspect that DC3 authorizes PCs by Kerberos, while DC1 and DC2 uses NTLM. I thought Kerberos is the default...

Post #202
Posted 9/5/2009 9:31:30 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
DCs answer to both NTLM or Kerberos requests.  Kerberos is default subject to:

1. all computers involved must support Kerberos (Win2000 and later)

2. logon account must be a domain account

3. all computers must be part of same forest or trusting domains

If any of those not true Windows falls back to NTLM

Some client server apps use NTLM. 

Post #203
Posted 9/7/2009 6:06:13 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/3/2009 4:21:35 AM
Posts: 3, Visits: 0
Thank you.

I suppose Kerberos is safer than NTLM so it is all right now.
Altought I like more event 680 because it gives us the information (logon account, source workstation) we need to show for external audit guys.
I just wonder if you can tell what might have happened to DC3 to switch to Kerberos?
Is there a way to switch back to get event 680s?
Post #204
Posted 9/7/2009 11:25:24 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
event 672 (kerberos authentication ticket - aka TGT) gives you basically the same info except client IP address instead of client workstation name.  to find out workstation name look at next couple events in the log for the first service ticket granted to service other than krbtgt for the same user and you will see the workstation name identified as the service
Post #205
Posted 9/11/2009 1:54:31 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/3/2009 4:21:35 AM
Posts: 3, Visits: 0
Thank you very much
Post #206
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 8:46pm