Forum

Ultimate Windows Security Forum » Security Log » 680 - Account Used for Logon by » Duplicate Events

Duplicate Events Expand / Collapse
Rate Topic
Display Mode
Topic Options
Author
Message
jmcelhin
Posted 8/31/2011 12:38:00 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/31/2011 12:21:04 PM
Posts: 1, Visits: 1
I am experiencing this problem with both event ID 675 and event ID 680.  Occasionally when a user fails to login to the domain there will be two events with the exact same information.  The timestamp will show the exact same hour, minute and second.  The Event ID is the same, as well as all other information in the event.
This doesn't happen every time a user has a failed login attempt, but it does happen frequently.  I see this a few times each day.

My questions are as follows:

1.  Why are duplicate events logged?

2.  Is there a way to fix this so only one event is logged per incident?

It's a little redundant, but here is an example where two separate events that are logged in the domain controller for a user who attempted to login with an invalid password.

Event 1

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date:  8/31/2011
Time:  7:57:27 AM
User:  NT AUTHORITY\SYSTEM
Computer: MWADC1
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account: User
 Source Workstation: MWADC1
 Error Code: 0xC000006A


Event 2

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date:  8/31/2011
Time:  7:57:27 AM
User:  NT AUTHORITY\SYSTEM
Computer: MWADC1
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account: User
 Source Workstation: MWADC1
 Error Code: 0xC000006A
Post #794
RandyFranklinSmith
Posted 11/14/2011 8:06:38 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Welcome to Windows auditing.  Double the events for the same price.  I think it is the Windows client in this case thinking that maybe if it asks again it will get a different answer.
Post #837
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 2:07am