Windows Security Log Event ID 675

675: Pre-authentication failed

On this page

• Description of this event
• Field level details
• Examples

When a user attempts to log on at a workstation and uses a valid domain account name but enters a bad password, the DC records event ID 675 (pre-authentication failed) with Failure Code 24. By reviewing each of your DC Security logs for this event and failure code, you can track every domain logon attempt that failed as a result of a bad password. In addition to providing the username and domain name, the event provides the IP address of the system from which the logon attempt originated.

Win2K also logs event ID 675 when a user attempts to use a different username (i.e., a username other than the one he or she used for the current workstation logon) to connect to a server. For example, a user might try to use the Connect using a different user name feature to use someone else's account to map a drive to a server.

This event can be logged for a few other reasons which are specified in the failure code. All Kerberos event failure codes correspond to the error codes defined by the Kerberos standard (RFC 1510). Click here for an explanation of failure codes.

Recommended response for failed instances of this event:

Check the User ID field. Most events generated by computer accounts are safe to ignore. Determine the reason for the authentication failure by checking Failure Code. TGT failures are usually due to a bad password or time synchronization between workstation and domain controller. If Failure Code indicates a bad password, how many failures exist for the same account? Look at the client IP address. Is an innocent user error or malicious attack indicated. If practical contact user regarding their recent logon attempts. 

 

Kerberos Failure Codes

Failure code		Kerberos RFC description	Notes on common failure codes
Dec	Hex
1	0x1	Client's entry in database has expired
2	0x2	Server's entry in database has expired
3	0x3	Requested protocol version # not supported
4	0x4	Client's key encrypted in old master key
5	0x5	Server's key encrypted in old master key
6	0x6	Client not found in Kerberos database	Bad user name, or new computer/user account has not replicated to DC yet
7	0x7	Server not found in Kerberos database	New computer account has not replicated yet or computer is pre-w2k
8	0x8	Multiple principal entries in database
9	0x9	The client or server has a null key	administrator should reset the password on the account
10	0xA	Ticket not eligible for postdating
11	0xB	Requested start time is later than end time
12	0xC	KDC policy rejects request	Workstation/logon time restriction
13	0xD	KDC cannot accommodate requested option
14	0xE	KDC has no support for encryption type
15	0xF	KDC has no support for checksum type
16	0x10	KDC has no support for padata type
17	0x11	KDC has no support for transited type
18	0x12	Clients credentials have been revoked	Account disabled, expired, or locked out.
19	0x13	Credentials for server have been revoked
20	0x14	TGT has been revoked
21	0x15	Client not yet valid - try again later
22	0x16	Server not yet valid - try again later
23	0x17	Password has expired	The user’s password has expired.
24	0x18	Pre-authentication information was invalid	Usually means bad password
25	0x19	Additional pre-authentication required*
31	0x1F	Integrity check on decrypted field failed
32	0x20	Ticket expired	Frequently logged by computer accounts
33	0x21	Ticket not yet valid
33	0x21	Ticket not yet valid
34	0x22	Request is a replay
35	0x23	The ticket isn't for us
36	0x24	Ticket and authenticator don't match
37	0x25	Clock skew too great	Workstation’s clock too far out of sync with the DC’s
38	0x26	Incorrect net address	IP address change?
39	0x27	Protocol version mismatch
40	0x28	Invalid msg type
41	0x29	Message stream modified
42	0x2A	Message out of order
44	0x2C	Specified version of key is not available
45	0x2D	Service key not available
46	0x2E	Mutual authentication failed	may be a memory allocation failure
47	0x2F	Incorrect message direction
48	0x30	Alternative authentication method required*
49	0x31	Incorrect sequence number in message
50	0x32	Inappropriate type of checksum in message
60	0x3C	Generic error (description in e-text)
61	0x3D	Field is too long for this implementation

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 675

•  User Name: %1
•  User ID:  %2
•  Service Name: %3
•  Pre-Authentication Type: %4
•  Failure Code: %5 (see table of failure codes)
•  Client Address: %6

Supercharger Free Edition

Centrally manage WEC subscriptions.

Free.

 

Mini-Seminars Covering Event ID 675 Security Log Exposed: What is the Difference Between “Account Logon” and “Logon/Logoff” Events? Insider Gone Bad: Tracking Their Steps and Building Your Case with the Security Log Beyond Alerting: 7 Critical Security Event Responses That Can Be Automated

 

Upcoming Webinars Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy