Kerberos Events
HI There,
I've been looking my WK3 DC's security event log and I'm seeing a lot of failures. I'm getting a whole stack from one server in particular that I don't understand. It looks like the below:
Pre-authentication failed:
User Name: username
User ID: domain\username
Service Name: krbtgt/domain
Pre-Authentication Type: 0x0
Failure Code: 0x18
Client Address: 192.x.x.x
Form what I've been reading the 0x18 failure code means pre-authentication information was invalid which usually means bad password. If this account (which happens to be a heavily used domain admin account) keeps trying to authenticate with a bad password
why is the account not being locked out, which it most definitely is not?
Another event I keep getting is almost exactly the same ( it's a Pre-authentication failed event) except the failure code is 0x19. Apparently that code means "additional pre-authentication required". What exactly does that mean and what would cause
the event to be logged? What is slightly worrying about this event is that in many cases the account that is causing the event to be logged is the same domain admin account but this time the event is coming from numerous different client PCs which already
have standard users interactively logged onto them. It looks like this:
Pre-authentication failed:
User Name: domainAdminCccount
User ID: domain\domainAdminCccount
Service Name: krbtgt/domain
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 192.x.x.x
Any ideas?
Hibs Ya Bass!
November 24th, 2010 6:11pm
Hi,
Is there any computer running Windows Vista (or later version) in the domain?
The following thread could help you understand the event:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/2f2905ff-e221-46fb-bf3b-d4141833ce66This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
November 29th, 2010 2:27am
Hi,
Is there any computer running Windows Vista (or later version) in the domain?
The following thread could help you understand the event:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/2f2905ff-e221-46fb-bf3b-d4141833ce66
This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your
question. This can be beneficial to other community members reading the thread.
Yes, there are quite a few Vista machines on the network. Straight after the above pre-authentication failure I get a successful Authentication Ticket Request like this:
Authentication Ticket Request:
User Name: username
Supplied Realm Name: domain
User ID: domain\username
Service Name: krbtgt
Service ID: IHC\krbtgt
Ticket Options: 0x40810010
Result Code: -
Ticket Encryption Type: 0x17
Pre-Authentication Type: 2
Client Address: 192.x.x.x
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
And then another event like this
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: username
Source Workstation: MACHINE_NAME
Error Code: 0x0
If this is expected behaviour for a Vista machine then fair enough but my worry is that the account that is mentioned in all the events is a domain admin account and I know from the MACHINE_NAME that only standard users should be logging onto it.Hibs Ya Bass!
November 29th, 2010 5:15pm
Hi,
Will the domain admin account be locked out?
I suggest that you check if there is any service or schedule task running in the domain admin credential.
Hope it helps.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
December 1st, 2010 2:56am
Hi,
Will the domain admin account be locked out?
I suggest that you check if there is any service or schedule task running in the domain admin credential.
Hope it helps.
This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your
question. This can be beneficial to other community members reading the thread.
As I said in my OP the account is not being locked out and that's one of the reasons i'm confused. I've already reset all the passwords on the services using the account too but that didn't help.Hibs Ya Bass!
December 1st, 2010 3:01pm