Question

Failure Audit Event ID: 673 on DC for specfic user every 30 seconds.

Asked by: WilkinsIT

Failure Audit Event ID: 673 on my DC for a specfic user every 30 seconds.

Server/DC is:
2k3 SP2 x64.

Client/User is:
XP SP3 x86.
Not locked out.
Has not recently and does not need to change their NT password.



Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      673
Date:            2/12/2009
Time:            2:32:23 PM
User:            NT AUTHORITY\SYSTEM
Computer:      [DC]
Description:
Service Ticket Request:
       User Name:            [user@domain.com]
       User Domain:            [domain]
       Service Name:            [user's name]
       Service ID:            -
       Ticket Options:            0x40800000
       Ticket Encryption Type:      -
       Client Address:            x.x.24.82
       Failure Code:            0x1B
       Logon GUID:            -
       Transited Services:      -

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-02-13 at 09:39:31ID24141811
Tags

Server 2003

,

Failure Audit

,

Domain Controller

Topics

Microsoft Server

,

Microsoft Windows Operating Systems

,

Windows 2003 Server

,

Windows Network Security

Participating Experts
5
Points
0
Comments
42

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. audit
    Where are the audited details stored when audit is performed i.e. the audit trail of operations performed by the user. --- oramush
  2. Only Failure Audits in the Security Event Log on the DC
    In the Security Log in the Event Viewer on my Win2003 SP1 DC, there are only Failure Audits or various kinds. And LOTS of them. The most common ones are "Pre-authentication Failure" with event ID 675 and "Service Ticket Requests" with event ID 673. On th...
  3. file auditing
    I'm trying to audit access to a file share. I have the Domain Security Policy - object access on (Success,Fail). And I have auditing on in the file/folder permissions for Everyone. But I get nothing in the event log. What am I missing.
  4. Failure Audits with "Aloha" as the username.
    I have two clients that have Server 2003 that are getting the following Failure Audit in the security logs: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 672 Date: 11/19/2008 Time: 6:22:56 PM User: NT AUTHO...
  5. SQL Server 2005 Security Logins Audit
    Hi Environment: Windows 2003 Forest (x86) Windows 2003/2008 server (x86 / x64) STD and ENT editions SQL 2005 (x86 / x64) STD and ENT editions Maybe straight forward but I am in need of getting a report together pretty soon..! What I am looking to do is use an input file of...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: dstewartjrPosted on 2009-02-17 at 19:09:11ID: 23666624

 

by: WilkinsITPosted on 2009-02-18 at 09:59:23ID: 23672979

Your solution seems to apply to a Win2k Kerberos issue.  The hotfix is from 2005...  I saw this on the eventviwer site as well but disregarded it as I am not running Win2k.

 

by: dstewartjrPosted on 2009-02-18 at 10:09:41ID: 23673092

Have you tried  forcing Kerberos to use TCP: http://support.microsoft.com/kb/244474

 

by: dstewartjrPosted on 2009-02-18 at 10:19:04ID: 23673201

 

by: dstewartjrPosted on 2009-02-18 at 10:21:11ID: 23673217

 

by: WilkinsITPosted on 2009-02-26 at 10:59:31ID: 23748158

I've reviewed that documentation and wasn't able to find anything that pertained:

1st Link:  Talked about a failed service logon due to bad credentials.

2nd Link:  Talked about different Kerberos errors.  The problem is that the user in question is not having any authentication problems or otherwise limitations due to this error on the DC.

Still no luck, anything else that you'd all recommend?

 

by: dstewartjrPosted on 2009-02-26 at 11:12:50ID: 23748348

Your specific error

"0x1B - KDC_ERR_MUST_USE_USER2USER: Server principal valid for user2user only"

 resolution here:

Service Logons Fail Due to Incorrectly Set SPNs

 

by: WilkinsITPosted on 2009-02-26 at 14:22:15ID: 23750642

I've read through that doc and I'm still confused.  This fix doesn't seem to apply to my situation.  This fix is to resolve a Kerberos issue with a service.

Perhaps I just don't get the concept behind the KB.  Wouldn't I be having issues with all accounts or at least a "service" if what I've read in this KB is correct?

Is the "service" referenced the user's logon token?  Her user account isn't attached to any services on any server.

 

by: dstewartjrPosted on 2009-02-26 at 18:50:47ID: 23752265

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      673
Date:            2/12/2009
Time:            2:32:23 PM
User:            NT AUTHORITY\SYSTEM
Computer:      [DC]
Description:
Service Ticket Request:
      User Name:            [user@domain.com]
      User Domain:            [domain]
      Service Name:            [user's name]
      Service ID:            -
      Ticket Options:            0x40800000
      Ticket Encryption Type:      -
      Client Address:            x.x.24.82
      Failure Code:            0x1B
"0x1B - KDC_ERR_MUST_USE_USER2USER: Server principal valid for user2user only"

http://technet.microsoft.com/en-us/library/cc738673.aspx


You have a kerberos issue

Troubleshooting Kerberos Errors

 

by: WilkinsITPosted on 2009-03-26 at 15:03:12ID: 23995992

I've been looking everywhere that I can, reading KBs, etc and I still can't track this down.

Ok, I get it, it's a Kerberos issue.  But based on what I've read that's too broad of a clasification.

Is there a way to determine what service could be missing a SPN?  This makes no sense to me as this user is the only user that is having this problem.  The service listed in the event log is her logon name....

Any further help or suggestions?

 

by: astaecPosted on 2009-03-30 at 11:29:14ID: 24021703

It turned out that there was a problem with our fire walls reference to the DNS. The DNS changed also from SErver 'A' to Server 'B' but we didn't make the change in our Fire wall. Once we changed the reference in our Firewall from the IP for the Server 'A' to the IP for Server 'B', everything started working again. ..... source link for more, if applicable here:

http://social.msdn.microsoft.com/forums/en-US/sqldataaccess/thread/bc6bce95-f861-4bc5-9a4f-ca038480c5a9/

How current is server 2003 with updates?  Also end-user stations?

Curious what happened when you checked this out - results?  Synopsis and link follow and you'll note we're at the server level here
Event ID 677 and event ID 673 audit failure messages are repeatedly logged to the Security log of domain controllers that are running Windows 2000 and Windows Server 2003
http://support.microsoft.com/kb/824905

 

by: WilkinsITPosted on 2009-04-02 at 12:40:38ID: 24053686

Thank you for responding.  

Our Firewall does not control our DNS like apparently yours does.  Our DC does all DNS routing for the LAN and WAN.

Our servers are 2k3 SP2 + all updates.

Desktops are up to date as well.  Mix of XP SP2/3 and 2k SP4.

From that KB:

1.  I have a native 2k3 domain.

2.  The hotfix suggested seems to "suppress" the events and doesn't actually resolve the problem that is causing those events.  It's also for Windows 2000 Service Pack 3 (SP3).

3.  The only other item in that KB talks about a timeout increase via reg hack.

Anything else you'd suggest?

 

by: WilkinsITPosted on 2009-04-02 at 12:41:27ID: 24053699

NOTE:  User that is having the problem is XP SP3 + all updates.  Server is 2k3 SP2 x64 RC2 (DC).

 

by: bedanecPosted on 2009-04-07 at 05:09:18ID: 24086307

Hi!
I have exactly the same mistake on my DC. I am looking forward to see hove to solve this problem.

 

by: WyoBoltPosted on 2009-04-21 at 09:50:00ID: 24196440

Getting the same 673 failure events with Ticket Options 0x40800000 and Failure Code 0x1B.

Hundreds of these failures are generated daily on two different local DCs from four users of a database application.  

Differences from the original poster are that the events are being generated when users of a database application (custom front-end, SQL 2005 back end) do anything in the application.  The 673 failures note the service name as the name of the application - 'ACCUAPP' (not the real name) - but there is not an 'ACCUAPP' service on the database server or the DCs.  The 673 failure events are followed immediately in the logs by 673 success events.  The application works fine and users see no errors from Windows or the application.  Application developer says the problem is with my network not their application (nice, I know).

Workstations are XP SP3 fully patched
DCs are 2003 SP2 Standard Edition
SQL Server is 2003 SP2 Standard Edition, member server with MS SQL 2005

I'm new to the forums - hopefully I'm adding information to an existing problem and not stealing someone's thread.  Just printed the 60 page MS Troubleshooting Kerberos Errors document.  Will post back if i find a solution.

 

by: dstewartjrPosted on 2009-04-21 at 09:55:53ID: 24196494

WilkinsIT

Have you tried  forcing Kerberos to use TCP: http://support.microsoft.com/kb/244474

 

by: WilkinsITPosted on 2009-08-05 at 07:55:56ID: 25024141

Forcing Kerberos to use TCP has not resolved this issue.  Sorry it has taken me so long to respond...

It looks like there are a few others with this issue as well.  Are there any other experts out there that might have suggestions?

 

by: WilkinsITPosted on 2009-08-31 at 07:02:33ID: 25222839

This is still an active and pressing issue that I am trying to resolve.  I would like some continued suggestions if I can get any from your community/experts.

 

by: WyoBoltPosted on 2009-08-31 at 08:47:13ID: 25223735

This is still an active issue with me as well.  I am working with the software vendor to try and determine the source, but so far no luck.  Please do not close this issue, it is not abandoned.

 

by: WyoBoltPosted on 2009-09-01 at 15:33:54ID: 25236837

This is silly.  So we're going to lose all of the information that's in this article, the steps that we've tried to resolve it?  WHY?  Why can't it live as an unanswered question?  What is the new article ID?

 

by: WilkinsITPosted on 2009-09-01 at 15:35:50ID: 25236845

It seems rediculous to me as well but I've gone ahead and recreated the question as recommeneded.  I used the exact same info in that thread that I did in this one...

Hopefully we'll see some action with my new bright and shiny posting!!!

 

by: WilkinsITPosted on 2009-09-08 at 12:49:59ID: 25285505

So because no one wants to take the time right now to respond to my question you are deleting it?

Why am I paying for this service again?

 

by: WyoBoltPosted on 2009-09-08 at 12:57:12ID: 25285576

Yeah, so a 'call for experts' went out on Saturday of Labor Day weekend.  No one responded between then and this morning so the post is being deleted.  Makes sense to me.

How do we complain about overzealous moderators?  In life and in IT there are questions which haven't been answered.  Why can't this post exist as an unanswered question?

How do we complain about overzealous moderators?

 

by: WilkinsITPosted on 2009-09-08 at 12:59:11ID: 25285589

Good point.  I'm not sure about you but I wasn't thinking about IT the whole weekend and I'm sure the "experts" weren't either.

Not only that but I'm probably going to be opening a ticket with Microsoft.  

If this happens I WILL find the answer and I will post my results here...well assuming that they don't just delete my question.

 

by: MightySWPosted on 2009-09-08 at 14:04:03ID: 25286142

Hi, what is running on this workstation?  What services are AD dependent?  Anything out of the ordinary apps or running that require LDAP auth (for example, does it have a printer or scanner attached to it with print/scanning services shared through AD?)

Also, check the time in your realm (domain) and check the time on that workstation.  Ensure that the BIOS isn't driving that system's clock off.

What is happening here is that something with the client is constantly trying to access a resource (some where on your domain) and it is using the resource and then requesting yet another ticket, but it can't get one because the previous service ticket still hasn't expired.  Again, you will usually see this with services that are specific to a user's application like printing / print sharing or SNMP requests to that workstation.  

A few things you can try:  check the services and see what is running.  Determine if that workstation has another purpose other than being a place for someone to collect mail and work with documents, etc, goto msconfig and click on the startup tab and see what is running at startup.  This may be an old program, or a service running with old credentials.  You need to ensure that all service accounts are up to date.  

Please post back.

HTH

 

by: WilkinsITPosted on 2009-09-08 at 14:15:23ID: 25286245

MightySW -

1.  MS Office 2k3, Network Printers, 1 local printer, a web based HR program that authenticates to another domain and site, AV, nothing out of the ordinary.

2.  I don't have any AD dependent services running.

3.  No apps that are AD dependent other than file sharing and Outlook.

4.  I've ensured that time is being enforced on the client.  A net time shows proper GP enforcement as well.  Also checked gpresult.

5.  Interesting point, I don't have any SNMP services running.  Her local printer isn't shared out over the network.

6.  All accounts on services are running:  Local System or Network Service.  I didn't see anything out of the ordinary services wise.  I also checked msconfig/hijackthis and didn't see anything strange there.

I appreciate your help here, I look forward to further feedback.

 

by: MightySWPosted on 2009-09-08 at 14:21:56ID: 25286297

I'll tell you right now that Printers are notorious for this type of behavior.  Granted that it is not shared so this may not be the issue.

Have you logged in with another user (new profile) to see if the 673 is as repetitive or goes away completely?

Have you run wireshark from a hub in her office or directly off her workstation to see if there are corresponding packets that are processed the same time that the event fires?

Let me know.

 

by: WilkinsITPosted on 2009-09-08 at 14:24:34ID: 25286315

1.  I'll go ahead and check another account on her system.  I haven't done that yet.  It's hard to get to her machine because of what she does.

2.  I haven't done any packet sniffing on her system but it may come down to that.  Again, I'll try tomorrow at lunch and see if I can get any results from either of these two suggestions.

Thanks again!

 

by: astaecPosted on 2009-09-09 at 06:52:11ID: 25291255

I'm pleased you have additional expertise here and apologize for my lack of presence in this question.  This is not my area of expertise, so didn't want to clog the Q with research and guesses.  I did think this link http://support.microsoft.com/kb/824905  sounded quite relevant.  At the bottom is input area for feedback on effectiveness of Microsoft's guidance and feedback options on your issue.

Best of luck.

Asta

 

by: WilkinsITPosted on 2009-09-10 at 09:31:24ID: 25301853

Thank you astaec - I have reviewed that KB previously and found that the circumstances did not apply.

MightySW - I have been put off temporarily by my user and will get to her system next week.  Thanks for the patience and assistance.

 

by: MightySWPosted on 2009-09-10 at 09:44:32ID: 25301982

LOL, I understand.

 

by: WilkinsITPosted on 2009-09-22 at 09:24:45ID: 25394569

I was finally able to spend some time on the client's system.

Some information and changes that I made:

1.  Disabled firewall service (I have the firewall disabled through GP anyway).

2.  Completed several windows updates (damn wsus doesn't update installer...grrr.)

3.  Shared and unshared local printer.

4.  Completed a netdiag = all clear.

5.  Forced a gpupdate and net time = all clear.

6.  Deleted an HP printer service and removed an HP startup app.

7.  Monitored Wireshark for sometime and didn't see anything except for:    
Wireshark Capture:
 
"126","13.112413","10.36.24.82","10.36.1.10","TCP","infocrypt > netbios-ssn [ACK] Seq=1 Ack=2 Win=64248 [TCP CHECKSUM INCORRECT] Len=0"

Here are some possibly applicable event ids:


Event Type:      Failure Audit
Event Source:   Security
Event Category:            Detailed Tracking
Event ID:          861
Date:                9/22/2009
Time:                7:51:37 AM
User:                NT AUTHORITY\SYSTEM
Computer:         FQ0LPC1
Description:
The Windows Firewall has detected an application listening for incoming traffic.
 
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 756
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 500
Allowed: No
User notified: No
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------------
 
Event Type:      Failure Audit
Event Source:   Security
Event Category:            Detailed Tracking
Event ID:          861
Date:                9/22/2009
Time:                7:51:42 AM
User:                NT AUTHORITY\NETWORK SERVICE
Computer:         FQ0LPC1
Description:
The Windows Firewall has detected an application listening for incoming traffic.
 
Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1212
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 55853
Allowed: No
User notified: No
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
-------------------------
 
Event Type:      Failure Audit
Event Source:   Security
Event Category:            Detailed Tracking
Event ID:          861
Date:                9/22/2009
Time:                7:51:57 AM
User:                NT AUTHORITY\NETWORK SERVICE
Computer:         FQ0LPC1
Description:
The Windows Firewall has detected an application listening for incoming traffic.
 
Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1212
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 58666
Allowed: No
User notified: No
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
------------------------
 
Event Type:      Failure Audit
Event Source:   Security
Event Category:            Detailed Tracking
Event ID:          861
Date:                9/22/2009
Time:                7:52:11 AM
User:                NT AUTHORITY\LOCAL SERVICE
Computer:         FQ0LPC1
Description:
The Windows Firewall has detected an application listening for incoming traffic.
 
Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1380
User account: LOCAL SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1900
Allowed: No
User notified: No
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

by: WilkinsITPosted on 2009-09-24 at 08:30:14ID: 25414388

Well one of my previous steps resolved the issue.  Unfortuantely I completed several before rebooting the system.

I am no longer receiving the audit failures!

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...