HI There, I've been looking my WK3 DC's security event log and I'm seeing a lot of failures. I'm getting a whole stack from one server in particular that I don't understand. It looks like the below: Pre-authentication failed: User Name: username User ID: domain\username Service Name: krbtgt/domain Pre-Authentication Type: 0x0 Failure Code: 0x18 Client Address: 192.x.x.x Form what I've been reading the 0x18 failure code means pre-authentication information was invalid which usually means bad password. If this account (which happens to be a heavily used domain admin account) keeps trying to authenticate with a bad password why is the account not being locked out, which it most definitely is not? Another event I keep getting is almost exactly the same ( it's a Pre-authentication failed event) except the failure code is 0x19. Apparently that code means "additional pre-authentication required". What exactly does that mean and what would cause the event to be logged? What is slightly worrying about this event is that in many cases the account that is causing the event to be logged is the same domain admin account but this time the event is coming from numerous different client PCs which already have standard users interactively logged onto them. It looks like this: Pre-authentication failed: User Name: domainAdminCccount User ID: domain\domainAdminCccount Service Name: krbtgt/domain Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 192.x.x.x Any ideas? Hibs Ya Bass!

Hi, Is there any computer running Windows Vista (or later version) in the domain? The following thread could help you understand the event: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/2f2905ff-e221-46fb-bf3b-d4141833ce66This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Is there any computer running Windows Vista (or later version) in the domain? The following thread could help you understand the event: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/2f2905ff-e221-46fb-bf3b-d4141833ce66 This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Yes, there are quite a few Vista machines on the network. Straight after the above pre-authentication failure I get a successful Authentication Ticket Request like this: Authentication Ticket Request: User Name: username Supplied Realm Name: domain User ID: domain\username Service Name: krbtgt Service ID: IHC\krbtgt Ticket Options: 0x40810010 Result Code: - Ticket Encryption Type: 0x17 Pre-Authentication Type: 2 Client Address: 192.x.x.x Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: And then another event like this Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: username Source Workstation: MACHINE_NAME Error Code: 0x0 If this is expected behaviour for a Vista machine then fair enough but my worry is that the account that is mentioned in all the events is a domain admin account and I know from the MACHINE_NAME that only standard users should be logging onto it.Hibs Ya Bass!

Hi, Will the domain admin account be locked out? I suggest that you check if there is any service or schedule task running in the domain admin credential. Hope it helps.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Will the domain admin account be locked out? I suggest that you check if there is any service or schedule task running in the domain admin credential. Hope it helps. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. As I said in my OP the account is not being locked out and that's one of the reasons i'm confused. I've already reset all the passwords on the services using the account too but that didn't help.Hibs Ya Bass!