Event ID: 675

S

slawrie

Can anyone tell me how to begin troubleshooting this issue? The IP address in
question is a DC running DHCP and DNS. I am getting continual
Pre-authentication failures although the network seems to be running fine.
This account is not the only one giving me the failures.

Pre-authentication failed:
User Name: Administrator
User ID: Domain\Administrator
Service Name: krbtgt/Domain.LOCAL
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 172.16.60.9

Thanks,

Steve
 
J

Jon Holvoet

Here a general explication of your error:

http://www.ultimatewindowssecurity.com/Details.aspx?ID=117

Specifically for the 0x18: Pre-authentication information was invalid ->
Usually means bad password
Perhaps a fixed config in some sort of utility on these machines?

You have the time-stamps, and the ip-adres. Try to find what applications /
scripts run at that time. Maybe use Wireshark to see the traffic leaving for
clues, ...

In my experience this is generally a thirth party application or script with
fixed credentials that performs scheduled tasks, and with an old password.

--

Jon Holvoet
MCSA / MCSE Security
Comptia Security+
CISSP


"slawrie" <slawrie@discussions.microsoft.com> wrote in message
news:F856643E-BFA3-41C8-9EFE-1755F815B902@microsoft.com...
> Can anyone tell me how to begin troubleshooting this issue? The IP address
> in
> question is a DC running DHCP and DNS. I am getting continual
> Pre-authentication failures although the network seems to be running fine.
> This account is not the only one giving me the failures.
>
> Pre-authentication failed:
> User Name: Administrator
> User ID: Domain\Administrator
> Service Name: krbtgt/Domain.LOCAL
> Pre-Authentication Type: 0x2
> Failure Code: 0x18
> Client Address: 172.16.60.9
>
> Thanks,
>
> Steve
 
L

LAMP90

In my experience, certain NORMAL operations can cause authentication errors.
For instance, a common technique for programs to find out if a username has a
password is to try logging in WITHOUT one. That could cause a message like
that.
In such cases, I would expect to find another message shortly thereafter
with a successful authentication, when the user is prompted for the password
and one is entered successfully.
That, assuming you are ALSO tracking successful authentications so you can
see the successful login event as well.

"Jon Holvoet" wrote:

> Here a general explication of your error:
>
> http://www.ultimatewindowssecurity.com/Details.aspx?ID=117
>
> Specifically for the 0x18: Pre-authentication information was invalid ->
> Usually means bad password
> Perhaps a fixed config in some sort of utility on these machines?
>
> You have the time-stamps, and the ip-adres. Try to find what applications /
> scripts run at that time. Maybe use Wireshark to see the traffic leaving for
> clues, ...
>
> In my experience this is generally a thirth party application or script with
> fixed credentials that performs scheduled tasks, and with an old password.
>
> --
>
> Jon Holvoet
> MCSA / MCSE Security
> Comptia Security+
> CISSP
>
>
> "slawrie" <slawrie@discussions.microsoft.com> wrote in message
> news:F856643E-BFA3-41C8-9EFE-1755F815B902@microsoft.com...
> > Can anyone tell me how to begin troubleshooting this issue? The IP address
> > in
> > question is a DC running DHCP and DNS. I am getting continual
> > Pre-authentication failures although the network seems to be running fine.
> > This account is not the only one giving me the failures.
> >
> > Pre-authentication failed:
> > User Name: Administrator
> > User ID: Domain\Administrator
> > Service Name: krbtgt/Domain.LOCAL
> > Pre-Authentication Type: 0x2
> > Failure Code: 0x18
> > Client Address: 172.16.60.9
> >
> > Thanks,
> >
> > Steve
>
>
>
 
A

Adrian Grigorof

How about the client IP address, is it the same? The other users are they
"regular" ones or special (like in the message you mentioned)?

Here you can find some suggestions about event id 675:
http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&phase=1

--

Regards,
Adrian Grigorof
www.eventid.net - Troubleshooting information for over 9000 Windows event
IDs
www.altairtech.ca/evlog - Free event log monitoring


"slawrie" <slawrie@discussions.microsoft.com> wrote in message
news:F856643E-BFA3-41C8-9EFE-1755F815B902@microsoft.com...
> Can anyone tell me how to begin troubleshooting this issue? The IP address
> in
> question is a DC running DHCP and DNS. I am getting continual
> Pre-authentication failures although the network seems to be running fine.
> This account is not the only one giving me the failures.
>
> Pre-authentication failed:
> User Name: Administrator
> User ID: Domain\Administrator
> Service Name: krbtgt/Domain.LOCAL
> Pre-Authentication Type: 0x2
> Failure Code: 0x18
> Client Address: 172.16.60.9
>
> Thanks,
>
> Steve
 
You must log in or register to reply here.

Similar threads

J
Event ID 5158 (Filtering Platform Connection) filling up Security Log
Replies
0
Views
56
Jim-Old
J
D
Kerberos pre-authentication failed.
Replies
0
Views
91
DMS Support Team
D
A
Security Log Failure Event ID 4771 Kerberos pre-authentication failed. Mapped Drives not working
Replies
0
Views
128
AllquestionsNoAnswers
A
V
Computer Freeze with a Kernel-Power Event ID 48
Replies
0
Views
87
VimeanSam
V
D
issues running tarkov throwing me error 10016 in event viewer
Replies
0
Views
172
dantroiano
D
Back
Top Bottom