Understanding 675 Failures Followed by 672 and 673 Success
We have a monitoring service running on Server 2008 that does a check of a directory stored on Server 2003 (which is also a DC). Our monitor shows us some failed events that it could not find the directory but then also says it was successful in looking
in the directory.
On the event log for the Server 2003 DC there is a Failure 675 followed by Success Audits of 672 and 673. Looks like the pre-authentication fails but authentication passes right after.
Can someone describe to me how it would fail and then succeed? Is it because of the encryption being used with Kerberos? If so, what encryption does it fail over to for a successful audit?
February 3rd, 2012 1:23pm
Can someone describe to me how it would fail and then succeed? Is it because of the encryption being used with Kerberos? If so, what encryption does it fail over to for a successful audit?
Windows 2008/7/vista uses its default AES for Kerberos encryption which Windows 2003 based DC cannot support and a failed audit event 675 is logged on DC.
Then 2008 server tries next best encryption for Kerberos message which is understood by Windows 2003 (RC4 & DES).
Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2012 4:51pm
Thanks Gopi. This is great information. So the way around this is to lower the authentication from Server 2008/Windows 7/Vista etc?
February 3rd, 2012 5:20pm
To change the default protocol, on Windows 2008 server, create the following registry value and restart the computer.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Name: DefaultEncryptionType
Type: REG_DWORD
Value: 23 (dec) or 0x17 (hex)
Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2012 5:41pm
To change the default protocol, on Windows 2008 server, create the following registry value and restart the computer.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Name: DefaultEncryptionType
Type: REG_DWORD
Value: 23 (dec) or 0x17 (hex)
Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.
February 4th, 2012 1:34am