?
Solved

Failure Audit Security Event ID: 675 Pre-Authentication Failed krbtgt/[domain]

Posted on 2006-05-04
3
Medium Priority
?
3,940 Views
Last Modified: 2012-05-05
A few users have had some difficulties logging into the network this morning.  I check the event log and noticed a few instances of the following.  This event was followed by Event ID: 529 by the users having trouble.  I was able to get the users logged into after stopping and starting the Kerberos service, but I would like to find the cause of the problem.  Anyone have any ideas?  Thanks in advance for any help.

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
User: SYSTEM
Computer: SERVER(PDC)

Pre-authentication failed:
User Name: Administrator
User ID: [domain]\administrator
Service Name: krbtgt/[domain]
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1
0
Comment
Question by:AzagThothe
  • 2
3 Comments
 
LVL 6

Expert Comment

by:ian_chard
ID: 16608018
There's some good explanation on this event here, with some things for you to consider:

http://eventid.net/display.asp?eventid=675&eventno=62&source=Security&phase=1

Good luck
Ian
0
 

Author Comment

by:AzagThothe
ID: 16608653
I may have found the problem.  We have a backup DC that is running in another building.  I noticed yesterday that it was turned off.  It seems to have been either off or not replication for several months, meaning that it was tombstoned and AD replications have not been occuring.  I just recently started this position and I am still trying to get a feel for the network.  Some of the users were more then likely trying to authenticate with the backup dc with new passwords.

I am now running into another issue with "repadmin".

I determined that the backup dc that I turned on yesterday is the cause of some 2042 directory service event ids, using repadmin /showrepl.  I am getting an invalid arguments error when I try to use the repadmin /removelingeringobjects command.  I do not want to force a replication through the registry before lingering objects are deleted.  Can anyone give me any tips here?
0
 
LVL 6

Accepted Solution

by:
ian_chard earned 1000 total points
ID: 16608805
Here's the Technet article on what to do in your situation:

http://technet2.microsoft.com/WindowsServer/en/Library/34c15446-b47f-4d51-8e4a-c14527060f901033.mspx

Cheers
Ian
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question