g000se
asked on
676 AUDIT FAILURE- error message with Supplied Realm Name
Hello,
Recently an employee has left the company and I get these error messages either late at night or early morning. This employee username and email has been removed from the system. The server that the account is trying to access is the email server. Here is the error message, I had change up the username and Supplied Realm Name which has the Domain info.
Is there a service trying to access this employee's account?
676,AUDIT FAILURE,Security NT AUTHORITY\SYSTEM,Authentic ation Ticket Request Failed, User Name: John Doe Supplied Realm Name: AB Domain
Thanks for your help.
Recently an employee has left the company and I get these error messages either late at night or early morning. This employee username and email has been removed from the system. The server that the account is trying to access is the email server. Here is the error message, I had change up the username and Supplied Realm Name which has the Domain info.
Is there a service trying to access this employee's account?
676,AUDIT FAILURE,Security NT AUTHORITY\SYSTEM,Authentic
Thanks for your help.
676 audit failure usually indicates someone is trying to access. There should also be a failure code indicating why access was denied. Probably in this case #6 indicating an invalid username.
Other than the fact that his is at an odd time of day it might be quite innocent. Does the user have a remote PC or laptop on which the mail account might not have been disabled? If so the computer may just be attempting to do a routine mail download.
Other than the fact that his is at an odd time of day it might be quite innocent. Does the user have a remote PC or laptop on which the mail account might not have been disabled? If so the computer may just be attempting to do a routine mail download.
ASKER
Thanks for your reply RobWill.
This person may have a laptop that was configured to connect to our email server.
Last Friday I had tried to access our webmail using the disabled account and was able to generate the same error message.
This person's username has been removed but their email address has been added to on the other folk's smtp.
It just seems odd for the error message to show up after this person has left.
This person may have a laptop that was configured to connect to our email server.
Last Friday I had tried to access our webmail using the disabled account and was able to generate the same error message.
This person's username has been removed but their email address has been added to on the other folk's smtp.
It just seems odd for the error message to show up after this person has left.
>>"seems odd for the error message to show up after this person has left."
Definitely, but as mentioned may be due to the mail account still existing on the laptop. Can you contact them and just explain that the account should be removed as it is "cluttering" your log file.
Then again it could be an intentional attempt. Perhaps with no success they will stop. However, if they were trying to hack your system you would think they might try more than just the mail server.
Definitely, but as mentioned may be due to the mail account still existing on the laptop. Can you contact them and just explain that the account should be removed as it is "cluttering" your log file.
Then again it could be an intentional attempt. Perhaps with no success they will stop. However, if they were trying to hack your system you would think they might try more than just the mail server.
ASKER
Very true, I just don't want to jump ahead of myself and think this person is hacking.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks
Thanks g000se,
--Rob
--Rob
ASKER
Haven't finish getting caffine into my system.