Exchange
--
Questions
--
Followers
Top Experts
Failed kerberos service ticket request
I just started receiving an error message on a primary domain controller (PDC):
--------------------------
Event Type: Â Â Â Â Â Failure Audit
Event Source: Â Â Â Â Â Security
Event Category: Â Â Â Â Â Account Logon
Event ID: Â Â Â Â Â 673
Date: Â Â Â Â Â Â Â Â Â Â Â 8/6/2010
Time: Â Â Â Â Â Â Â Â Â Â Â 1:36:41 PM
User: Â Â Â Â Â Â Â Â Â Â Â NT AUTHORITY\SYSTEM
Computer: Â Â Â Â Â PDC
Description:
Service Ticket Request:
      User Name:            EXCHANGE$@TEST.LOCAL
      User Domain:            TEST.LOCAL
      Service Name:            test1
      Service ID:            -
      Ticket Options:            0x40810000
      Ticket Encryption Type:      -
      Client Address:            192.168.1.1
      Failure Code:            0x1B
      Logon GUID:            -
      Transited Services:      -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------
This error only occurs immediately after pressing the "Find now" button to search for emails in the Message Tracking Center in Exchange System Manager. Â Exchange System Manager is installed on an administration machine (admin1) for remote administration of exchange.
In the example above the User Name is the name of our exchange server, the service name is the name of the user logged on at the remote administration machine (admin1). Â
Performing the same thing on the exchange server itself doesn't cause the error above to occur on the PDC. Â
Exchange server is running Exchange 2003
Remote admin client is Windows XP
PDC is Windows 2003 server
This error doesn't actually affect the message tracking process and the messages are displayed after clicking the "Find Now" button. Â However, I just wondering why this is occurring? Â
--------------------------
Event Type: Â Â Â Â Â Failure Audit
Event Source: Â Â Â Â Â Security
Event Category: Â Â Â Â Â Account Logon
Event ID: Â Â Â Â Â 673
Date: Â Â Â Â Â Â Â Â Â Â Â 8/6/2010
Time: Â Â Â Â Â Â Â Â Â Â Â 1:36:41 PM
User: Â Â Â Â Â Â Â Â Â Â Â NT AUTHORITY\SYSTEM
Computer: Â Â Â Â Â PDC
Description:
Service Ticket Request:
      User Name:            EXCHANGE$@TEST.LOCAL
      User Domain:            TEST.LOCAL
      Service Name:            test1
      Service ID:            -
      Ticket Options:            0x40810000
      Ticket Encryption Type:      -
      Client Address:            192.168.1.1
      Failure Code:            0x1B
      Logon GUID:            -
      Transited Services:      -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------
This error only occurs immediately after pressing the "Find now" button to search for emails in the Message Tracking Center in Exchange System Manager. Â Exchange System Manager is installed on an administration machine (admin1) for remote administration of exchange.
In the example above the User Name is the name of our exchange server, the service name is the name of the user logged on at the remote administration machine (admin1). Â
Performing the same thing on the exchange server itself doesn't cause the error above to occur on the PDC. Â
Exchange server is running Exchange 2003
Remote admin client is Windows XP
PDC is Windows 2003 server
This error doesn't actually affect the message tracking process and the messages are displayed after clicking the "Find Now" button. Â However, I just wondering why this is occurring? Â
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
As far as I know that error event is becasue of Kerberos ticket has expired. Â It's not really a security issue unless you have a failed logon attempt with an actual user name.
This article explains how Kerberos works in the Windows environment and how to understand the cryptic codes your find in the security log
http://www.windowsecurity.com/articles/Kerberos-Authentication-Events.html
This article explains how Kerberos works in the Windows environment and how to understand the cryptic codes your find in the security log
http://www.windowsecurity.com/articles/Kerberos-Authentication-Events.html
The failure code 0x1B is not a kerberos ticket expiration. Â A failure code of 0x20 is.
http://technet.microsoft.com/en-us/library/bb463166.aspx
http://technet.microsoft.com/en-us/library/bb463166.aspx
I'm not really worried about it being a security event I'm just trying to find out why it has started occurring. Â This didn't use to happen on this machine.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Is this issue only with admin1 machine ?
did you tried to restart admin1 and then check if the issue reproduces or not ?
Also could you check with some other account other than test1
did you tried to restart admin1 and then check if the issue reproduces or not ?
Also could you check with some other account other than test1
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
Exchange
--
Questions
--
Followers
Top Experts
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.