Windows Security Log Event ID 675

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryAccount Logon
Type Failure
Corresponding events
in Windows 2008
and Vista
4771  

675: Pre-authentication failed

On this page

When a user attempts to log on at a workstation and uses a valid domain account name but enters a bad password, the DC records event ID 675 (pre-authentication failed) with Failure Code 24. By reviewing each of your DC Security logs for this event and failure code, you can track every domain logon attempt that failed as a result of a bad password. In addition to providing the username and domain name, the event provides the IP address of the system from which the logon attempt originated.

Win2K also logs event ID 675 when a user attempts to use a different username (i.e., a username other than the one he or she used for the current workstation logon) to connect to a server. For example, a user might try to use the Connect using a different user name feature to use someone else's account to map a drive to a server.

This event can be logged for a few other reasons which are specified in the failure code. All Kerberos event failure codes correspond to the error codes defined by the Kerberos standard (RFC 1510). Click here for an explanation of failure codes.

Recommended response for failed instances of this event:

Check the User ID field. Most events generated by computer accounts are safe to ignore. Determine the reason for the authentication failure by checking Failure Code. TGT failures are usually due to a bad password or time synchronization between workstation and domain controller. If Failure Code indicates a bad password, how many failures exist for the same account? Look at the client IP address. Is an innocent user error or malicious attack indicated. If practical contact user regarding their recent logon attempts. 

 

Kerberos Failure Codes
Failure code
Kerberos RFC description
Notes on common failure codes
Dec
Hex
1
0x1
Client's entry in database has expired
 
2
0x2
Server's entry in database has expired
 
3
0x3
Requested protocol version # not supported
 
4
0x4
Client's key encrypted in old master key
 
5
0x5
Server's key encrypted in old master key
 
6
0x6
Client not found in Kerberos database
Bad user name, or new computer/user account has not replicated to DC yet
7
0x7
Server not found in Kerberos database
 New computer account has not replicated yet or computer is pre-w2k
8
0x8
Multiple principal entries in database
 
9
0x9
The client or server has a null key
 administrator should reset the password on the account
10
0xA
Ticket not eligible for postdating
 
11
0xB
Requested start time is later than end time
 
12
0xC
KDC policy rejects request
Workstation/logon time restriction
13
0xD
KDC cannot accommodate requested option
 
14
0xE
KDC has no support for encryption type
 
15
0xF
KDC has no support for checksum type
 
16
0x10
KDC has no support for padata type
 
17
0x11
KDC has no support for transited type
 
18
0x12
Clients credentials have been revoked
Account disabled, expired, or locked out.
19
0x13
Credentials for server have been revoked
 
20
0x14
TGT has been revoked
 
21
0x15
Client not yet valid - try again later
 
22
0x16
Server not yet valid - try again later
 
23
0x17
Password has expired
The user’s password has expired.
24
0x18
Pre-authentication information was invalid
Usually means bad password
25
0x19
Additional pre-authentication required*
 
31
0x1F
Integrity check on decrypted field failed
 
32
0x20
Ticket expired
Frequently logged by computer accounts
33
0x21
Ticket not yet valid
 
33
0x21
Ticket not yet valid
 
34
0x22
Request is a replay
 
35
0x23
The ticket isn't for us
 
36
0x24
Ticket and authenticator don't match
 
37
0x25
Clock skew too great
Workstation’s clock too far out of sync with the DC’s
38
0x26
Incorrect net address
 IP address change?
39
0x27
Protocol version mismatch
 
40
0x28
Invalid msg type
 
41
0x29
Message stream modified
 
42
0x2A
Message out of order
 
44
0x2C
Specified version of key is not available
 
45
0x2D
Service key not available
 
46
0x2E
Mutual authentication failed
 may be a memory allocation failure
47
0x2F
Incorrect message direction
 
48
0x30
Alternative authentication method required*
 
49
0x31
Incorrect sequence number in message
 
50
0x32
Inappropriate type of checksum in message
 
60
0x3C
Generic error (description in e-text)
 
61
0x3D
Field is too long for this implementation
 

Free Security Log Resources by Randy

Description Fields in 675

  •  User Name: %1
  •  User ID:  %2
  •  Service Name: %3
  •  Pre-Authentication Type: %4
  •  Failure Code: %5 (see table of failure codes)
  •  Client Address: %6

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 675

Pre-authentication failed:
User Name: Fred
User ID: MKTG\Fred
Service Name: krbtgt/MKTG
Pre-Authentication Type: 0x2
Failure Code: 24
Client Address: 10.42.42.10

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources

      Go To Event ID:

      Security Log
      Quick Reference
      Chart
      Download now!