Solved

Event ID 673 appears randomly in security log

Posted on 2006-06-26
14
1,934 Views
Last Modified: 2010-05-05
Hi folks

I'm reposting this as I didn't get any response last time and I'm hoping that was just because the right expert didn't see it.

I've had a look at previous posts about this but none seem to fit what I have happenning, in that there is no user, machine or process identified, making it very difficult for me to identify the source of the problem:

Event Type:     Failure Audit
Event Source:     Security
Event Category:     Account Logon
Event ID:     673
Date:          07/04/2006
Time:          09:56:47
User:          NT AUTHORITY\SYSTEM
Computer:     AML-SERVER
Description:
Service Ticket Request:
      User Name:          
      User Domain:          
      Service Name:          
      Service ID:          -
      Ticket Options:          0x2
      Ticket Encryption Type:     -
      Client Address:          192.168.1.18
      Failure Code:          0x20
      Logon GUID:          -
      Transited Services:     -


The IP address shown is not allocated to any device.  All IP addresses on the network are fixed and are above 192.168.1.100, except for 192.168.1.19 which is reserved by DHCP for VPN.

The IP address displayed in the error changes but is always in the range 192.168.1.14 - 192.168.1.21.

The event also seems to be entirely random, it's frequency varying between several times in the same minute to once in two days and I can't see any process reporting to event logs which may be causing this.

Any suggestions, please?
0
Comment
Question by:morse57
  • 6
  • 4
  • 2
  • +1
14 Comments
 
LVL 13

Expert Comment

by:itcoza
Comment Utility
Hi morse57,

It seems that there exists the possibility that you are experiencing a IP Spoof attack.  It is entirely possible that there is a piece of software on your network, spy ware or something, that is attempting to gain information from your network.  It is also possible that if you do not have the proper protection from the Internet that you are actually being attached from an external source.

Regards,
M
0
 
LVL 16

Expert Comment

by:Wadski
Comment Utility
morse57,

Do you know what IP range your VPN Clients use?  Is it someone trying to login through your VPN?

Wadski
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Hi morse57,

I'm sorry that I didn't ever get back to you on your last question, it must have dropped off my queue.  If that ever happens in the future, please just post a quick comment to the question so that it will re-email me that a comment has been made and the question will go back into my queue.

Wadski is correct that these are your VPN client range IP's.  A standard default configuration for SBS SP1 would create 7 IP Addresses in DHCP for VPN.  But what concerns me is that you don't seem to be using DHCP for your workstations... which you absolutely should be doing.  DHCP does more than just assigning an IP address.

Also... had you clicked the link in the error message which says:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp

You would have been presented with a very detailed explanation of why this occurs.  This link will only work from within the failure message itself from the Security Event Log.  Within that detailed explanation is a link to this KB article: http://support.microsoft.com/kb/824905 which describes this error and offers both a work-around or hotfix.

If you want to know what user or computer is actually causing the failure Audit, just look in the Security Event log and there should be a Success Audit item (event 540) immediately before the 673.  This will show the same IP address as well as the username of the person that accessed it.

If you require further information please let me know.

Jeff
TechSoEasy

0
 
LVL 2

Author Comment

by:morse57
Comment Utility
Hi guys

Thanks for responding.

I have checked for spyware and can't find any.

All the IP addresses in the range reporting errors are DHCP generated addresses for VPN but nobody is logging in at some of the times that are reported, i.e. middle of the night.  All ports are stealthed so I don't think it is a hacking attack.

Cheers
Steve
0
 
LVL 16

Expert Comment

by:Wadski
Comment Utility
Looking at the evidence:

They are VPN IPs
They are failing security checks
Why are you sure the events are not evidence of someone/thing trying to connect?

If people are not using your VPN during the night why not turn it off and see if you still get the events?  

My guess is you won't!
0
 
LVL 2

Author Comment

by:morse57
Comment Utility
Hi Jeff

Thanks for your comments; apology accepted. :-)

I looked at that link, applied the workaround without success and then spoke with Microsoft.  They assured me that I do not need this fix as SP1 has already been applied and, in any event, it only applies to a mixed environment of both Server 2000 & 2003.  Our network has a single SBS 2003 server with XP pro clients & I do not believe that the error was present before SP1 was applied.

Wadski, I understand entirely your train of thought, but I'm not convinced.  My belief it is an internal issue but I won't rule anything out yet.

Cheers
Steve
0
 
LVL 2

Author Comment

by:morse57
Comment Utility
An update.

I had Microsoft look at the problem and it has had them foxed
.
They think that the cause was an undefined corruption of the DNS records and have deleted the old ones, allowing new records to be built by a reboot.

The reason why the error was so short on detail was that the Kerberos logging is disabled by default and a registry edit to create a key HKLM\System\CurrentControlSet\Las\Kerberos\Parameters\Loglevel=1 to allow for full reporting.

Just to cover all bases they had me put a line in the user_login_script.bat to synch with the server time on login:
net time /set
despite the fact that all machines looked at had their clocks within seconds of the server time, even a laptop which connects via vpn and was a possible culprit.

In all, it seems MS have struggled with this and that is why the support ticket has been left in a monitored state to see if the issue is cured.

Watch this space......

Cheers
Steve
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Author Comment

by:morse57
Comment Utility
P.S.

Jeff - why are you advocating the use of dhcp for the network so strongly, please?  this sounds like something I shouild be aware of.
0
 
LVL 13

Expert Comment

by:itcoza
Comment Utility
Morse57,  Just attempt to set all the settings you can set via DHCP manually on your workstations and you will understand why Jeff is promoting the use of this very important service.  Then we are not even talking about DNS integration.

Regards,
M
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
First, glad that you got things somewhat straightened out...

DHCP is important because it sets the following items on each workstation (assuming the recommended SBS IP of 192.168.16.2):

Scope Options:
003 Router 192.168.16.2
006 DNS Servers 192.168.16.2
015 DNS Domain Name yourcompany.local
044 WINS/NBNS Servers 192.168.16.2
046 WINS/NBT Node Type 0x8

Also, if you have a laptop that is in the office and also connects via VPN, for which you've given a static IP, you'll probably have the Kerberos error that you are experiencing because the VPN connection won't want to use the static IP you've assigned and will assign it's own... causing a conflict.

In any case, can you give a good reason to NOT use DHCP on the workstations?

Also, in regards to the "net time /set" command in the login script... I've generally seen this as being "net time \\servername /set /yes" for SBS use.  I have it in most of my login scripts, but tend to comment it out after awhile -- once I know everything is doing okay.

I would also look to make sure that all of your workstations are configured for the same time zone.  I've seen this as a problem before that causes Kerberor errors.  

Jeff
TechSoEasy
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
P. S.  Just to check the workstations, run this at the command prompt:

w32tm /monitor /computers:localhost

Jeff
TechSoEasy
0
 
LVL 2

Author Comment

by:morse57
Comment Utility
Well, MS couldn't cure it.

Different people in MS have had different ideas as to the cause & yet another "expert" from the company has been in touch and tells me that the failures are common in this OS.  He says that they are failed attempts to connect which have been successfully retried and has made the problem go away by changing the logging options in Default Domain Controllers Policy so that the failures aren't logged.

I don't think that it's necessarily the best solution to adopt the "out of sight, out of mind" philosophy and it still doesn't address the strange times of night when some of these errors occur, but I am assured by MS that the OS is not perfect and these failures occur as part of it.

All the people I have spoken to at MS are happy that the failures are not as a result of an intrusion attempt, which I'd always felt was the case.

Thanks guys for trying to help and I've learned a few things on the way from you.

Unless anyone has any other ideas, I suppose this needs closing.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
Comment Utility
Well, I took a look at some of the logs for the many SBS's that I manage and I have plenty of those errors... i've always assumed that it's just a Kerberos ticket expiring.  It's not really a security issue unless you have a failed logon attempt with an actual user name.

Jeff
TechSoEasy
0
 
LVL 2

Author Comment

by:morse57
Comment Utility
Thanks for that Jeff, it confirms what MS have said.  I can sleep easy now. ;-)

Steve
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Written by Glen Knight (demazter) as part of a series of how-to articles. Introduction One of the biggest consumers of disk space with Small Business Server 2008(SBS) is Windows Server Update Services, more affectionately known as WSUS. For t…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now