Event id 675
Good day,
I've been trying to resolve this matter for a couple of weeks now. I have recently turned on auditing on our 2003 domain. I seem to be getting thousands of messages about failure audit
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 6/27/2011
Time: 8:17:02 AM
User: NT AUTHORITY\SYSTEM
Computer: MHX1
Description:
Pre-authentication failed:
User Name: renmat
User ID: CITY\renmat
Service Name: krbtgt/CITY
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: x.x.x.x
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 6/27/2011
Time: 8:12:54 AM
User: NT AUTHORITY\SYSTEM
Computer: MHX1
Description:
Pre-authentication failed:
User Name: ambtho
User ID: CITY\ambtho
Service Name: krbtgt/CITY
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: x.x.x.x
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 6/27/2011
Time: 8:05:39 AM
User: NT AUTHORITY\SYSTEM
Computer: MHX1
Description:
Pre-authentication failed:
User Name: rantav
User ID: CITY\rantav
Service Name: krbtgt/CITY
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: x.x.x.x
I am getting so many of these I've had to turn auditing off again. I've read alot of articles and post on site including this one. The issue is there all the solutions don't work for me. The failures are for machines as well, not just users.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 6/27/2011
Time: 8:01:31 AM
User: NT AUTHORITY\SYSTEM
Computer: MHX1
Description:
Pre-authentication failed:
User Name: MHE5$
User ID: CITY\MHE5$
Service Name: krbtgt/CITY.domain.me.here
PreAuthentication Type: 0x0
Failure Code: 0x19
Client Address: x.x.x.x
I've look at these answers
http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/4db3bb1a-5cdf-4874-b58f-f3cbba0ea80a
http://social.technet.microsoft.com/Forums/en/winservergen/thread/2b152af2-1cad-4c68-8516-c45b91655c00
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/2f2905ff-e221-46fb-bf3b-d4141833ce66/
http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&phase=1
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=675
This is only a small amount of links I've been to.
Current configuration of domain
Windows 2003 DC's x 3
Windows XP SP3 Clients x 1000+
Windows 2000 Clients/couple of member servers
Windows 2008 member servers.
Plan is to clean up AD and get migrated over to 2008 AD DS. Current funtionality of AD is 2003.
Help if you can...
humv
June 27th, 2011 7:24pm
have you checked virus? it may be hacked.
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2011 3:04pm
Multiple scans with different software packages and nothing...
humv
June 30th, 2011 7:24pm