Your solution seems to apply to a Win2k Kerberos issue. The hotfix is from 2005... I saw this on the eventviwer site as well but disregarded it as I am not running Win2k.
Main Topics
Browse All TopicsFailure Audit Event ID: 673 on my DC for a specfic user every 30 seconds.
Server/DC is:
2k3 SP2 x64.
Client/User is:
XP SP3 x86.
Not locked out.
Has not recently and does not need to change their NT password.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 2/12/2009
Time: 2:32:23 PM
User: NT AUTHORITY\SYSTEM
Computer: [DC]
Description:
Service Ticket Request:
User Name: [user@domain.com]
User Domain: [domain]
Service Name: [user's name]
Service ID: -
Ticket Options: 0x40800000
Ticket Encryption Type: -
Client Address: x.x.24.82
Failure Code: 0x1B
Logon GUID: -
Transited Services: -
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Have you tried forcing Kerberos to use TCP: http://support.microsoft.c
See if these help:
http://
setspn A HTTP/<NetBIOS name>:8080 <MyDomain\TFSSERVICE>
setspn A HTTP/<FQDN>:8080 <MyDomain\TFSSERVICE>
I've reviewed that documentation and wasn't able to find anything that pertained:
1st Link: Talked about a failed service logon due to bad credentials.
2nd Link: Talked about different Kerberos errors. The problem is that the user in question is not having any authentication problems or otherwise limitations due to this error on the DC.
Still no luck, anything else that you'd all recommend?
I've read through that doc and I'm still confused. This fix doesn't seem to apply to my situation. This fix is to resolve a Kerberos issue with a service.
Perhaps I just don't get the concept behind the KB. Wouldn't I be having issues with all accounts or at least a "service" if what I've read in this KB is correct?
Is the "service" referenced the user's logon token? Her user account isn't attached to any services on any server.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 2/12/2009
Time: 2:32:23 PM
User: NT AUTHORITY\SYSTEM
Computer: [DC]
Description:
Service Ticket Request:
User Name: [user@domain.com]
User Domain: [domain]
Service Name: [user's name]
Service ID: -
Ticket Options: 0x40800000
Ticket Encryption Type: -
Client Address: x.x.24.82
Failure Code: 0x1B
"0x1B - KDC_ERR_MUST_USE_USER2USER
http://technet.micros
You have a kerberos issue
Troubleshooting Kerberos Errors
I've been looking everywhere that I can, reading KBs, etc and I still can't track this down.
Ok, I get it, it's a Kerberos issue. But based on what I've read that's too broad of a clasification.
Is there a way to determine what service could be missing a SPN? This makes no sense to me as this user is the only user that is having this problem. The service listed in the event log is her logon name....
Any further help or suggestions?
It turned out that there was a problem with our fire walls reference to the DNS. The DNS changed also from SErver 'A' to Server 'B' but we didn't make the change in our Fire wall. Once we changed the reference in our Firewall from the IP for the Server 'A' to the IP for Server 'B', everything started working again. ..... source link for more, if applicable here:
How current is server 2003 with updates? Also end-user stations?
Curious what happened when you checked this out - results? Synopsis and link follow and you'll note we're at the server level here
Event ID 677 and event ID 673 audit failure messages are repeatedly logged to the Security log of domain controllers that are running Windows 2000 and Windows Server 2003
http://support.microso
Thank you for responding.
Our Firewall does not control our DNS like apparently yours does. Our DC does all DNS routing for the LAN and WAN.
Our servers are 2k3 SP2 + all updates.
Desktops are up to date as well. Mix of XP SP2/3 and 2k SP4.
From that KB:
1. I have a native 2k3 domain.
2. The hotfix suggested seems to "suppress" the events and doesn't actually resolve the problem that is causing those events. It's also for Windows 2000 Service Pack 3 (SP3).
3. The only other item in that KB talks about a timeout increase via reg hack.
Anything else you'd suggest?
Getting the same 673 failure events with Ticket Options 0x40800000 and Failure Code 0x1B.
Hundreds of these failures are generated daily on two different local DCs from four users of a database application.
Differences from the original poster are that the events are being generated when users of a database application (custom front-end, SQL 2005 back end) do anything in the application. The 673 failures note the service name as the name of the application - 'ACCUAPP' (not the real name) - but there is not an 'ACCUAPP' service on the database server or the DCs. The 673 failure events are followed immediately in the logs by 673 success events. The application works fine and users see no errors from Windows or the application. Application developer says the problem is with my network not their application (nice, I know).
Workstations are XP SP3 fully patched
DCs are 2003 SP2 Standard Edition
SQL Server is 2003 SP2 Standard Edition, member server with MS SQL 2005
I'm new to the forums - hopefully I'm adding information to an existing problem and not stealing someone's thread. Just printed the 60 page MS Troubleshooting Kerberos Errors document. Will post back if i find a solution.
Yeah, so a 'call for experts' went out on Saturday of Labor Day weekend. No one responded between then and this morning so the post is being deleted. Makes sense to me.
How do we complain about overzealous moderators? In life and in IT there are questions which haven't been answered. Why can't this post exist as an unanswered question?
How do we complain about overzealous moderators?
Good point. I'm not sure about you but I wasn't thinking about IT the whole weekend and I'm sure the "experts" weren't either.
Not only that but I'm probably going to be opening a ticket with Microsoft.
If this happens I WILL find the answer and I will post my results here...well assuming that they don't just delete my question.
Hi, what is running on this workstation? What services are AD dependent? Anything out of the ordinary apps or running that require LDAP auth (for example, does it have a printer or scanner attached to it with print/scanning services shared through AD?)
Also, check the time in your realm (domain) and check the time on that workstation. Ensure that the BIOS isn't driving that system's clock off.
What is happening here is that something with the client is constantly trying to access a resource (some where on your domain) and it is using the resource and then requesting yet another ticket, but it can't get one because the previous service ticket still hasn't expired. Again, you will usually see this with services that are specific to a user's application like printing / print sharing or SNMP requests to that workstation.
A few things you can try: check the services and see what is running. Determine if that workstation has another purpose other than being a place for someone to collect mail and work with documents, etc, goto msconfig and click on the startup tab and see what is running at startup. This may be an old program, or a service running with old credentials. You need to ensure that all service accounts are up to date.
Please post back.
HTH
MightySW -
1. MS Office 2k3, Network Printers, 1 local printer, a web based HR program that authenticates to another domain and site, AV, nothing out of the ordinary.
2. I don't have any AD dependent services running.
3. No apps that are AD dependent other than file sharing and Outlook.
4. I've ensured that time is being enforced on the client. A net time shows proper GP enforcement as well. Also checked gpresult.
5. Interesting point, I don't have any SNMP services running. Her local printer isn't shared out over the network.
6. All accounts on services are running: Local System or Network Service. I didn't see anything out of the ordinary services wise. I also checked msconfig/hijackthis and didn't see anything strange there.
I appreciate your help here, I look forward to further feedback.
I'll tell you right now that Printers are notorious for this type of behavior. Granted that it is not shared so this may not be the issue.
Have you logged in with another user (new profile) to see if the 673 is as repetitive or goes away completely?
Have you run wireshark from a hub in her office or directly off her workstation to see if there are corresponding packets that are processed the same time that the event fires?
Let me know.
1. I'll go ahead and check another account on her system. I haven't done that yet. It's hard to get to her machine because of what she does.
2. I haven't done any packet sniffing on her system but it may come down to that. Again, I'll try tomorrow at lunch and see if I can get any results from either of these two suggestions.
Thanks again!
I'm pleased you have additional expertise here and apologize for my lack of presence in this question. This is not my area of expertise, so didn't want to clog the Q with research and guesses. I did think this link http://support.microsoft.c
Best of luck.
Asta
I was finally able to spend some time on the client's system.
Some information and changes that I made:
1. Disabled firewall service (I have the firewall disabled through GP anyway).
2. Completed several windows updates (damn wsus doesn't update installer...grrr.)
3. Shared and unshared local printer.
4. Completed a netdiag = all clear.
5. Forced a gpupdate and net time = all clear.
6. Deleted an HP printer service and removed an HP startup app.
7. Monitored Wireshark for sometime and didn't see anything except for:
Wireshark Capture:
"126","13.112413","10.36.2
Here are some possibly applicable event ids:
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 9/22/2009
Time: 7:51:37 AM
User: NT AUTHORITY\SYSTEM
Computer: FQ0LPC1
Description:
The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.
Process identifier: 756
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 500
Allowed: No
User notified: No
For more information, see Help and Support Center at http://go.microsoft.com/fw
--------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 9/22/2009
Time: 7:51:42 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: FQ0LPC1
Description:
The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\svchos
Process identifier: 1212
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 55853
Allowed: No
User notified: No
For more information, see Help and Support Center at http://go.microsoft.com/fw
-------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 9/22/2009
Time: 7:51:57 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: FQ0LPC1
Description:
The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\svchos
Process identifier: 1212
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 58666
Allowed: No
User notified: No
For more information, see Help and Support Center at http://go.microsoft.com/fw
------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 9/22/2009
Time: 7:52:11 AM
User: NT AUTHORITY\LOCAL SERVICE
Computer: FQ0LPC1
Description:
The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\svchos
Process identifier: 1380
User account: LOCAL SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1900
Allowed: No
User notified: No
For more information, see Help and Support Center at http://go.microsoft.com/fw
Business Accounts
Answer for Membership
by: dstewartjrPosted on 2009-02-17 at 19:09:11ID: 23666624
Event ID 677 and event ID 673 audit failure messages are repeatedly logged to the Security log of domain controllers that are running Windows 2000 and Windows Server 2003