Security Success Audit - Event ID 680
Hi,
I'm seeing recurring success audits in the security logs on our DC from a number of computers on our network.
The reason i'm curious about this is because a number of them happen out of hours when the user is not onsite.
Some of the users do access their PCs from home but the audits do not correspond to these times.
On one particular user, this log may show up 20 times or so during the night.
What would be the main reason(s) for this type of audit?
Category: Account Logon
Type: Success Audit
Event ID: 680
User: SNN\Bill
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: Bill
Source Workstation: HR01
Error Code: 0x0
Any help is appreciated.
Thanks in advance,
wl
I'm seeing recurring success audits in the security logs on our DC from a number of computers on our network.
The reason i'm curious about this is because a number of them happen out of hours when the user is not onsite.
Some of the users do access their PCs from home but the audits do not correspond to these times.
On one particular user, this log may show up 20 times or so during the night.
What would be the main reason(s) for this type of audit?
Category: Account Logon
Type: Success Audit
Event ID: 680
User: SNN\Bill
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: Bill
Source Workstation: HR01
Error Code: 0x0
Any help is appreciated.
Thanks in advance,
wl
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help McKnife, the Client PCs are XPSP2 and DC is win server 2003
Thanks for your help also richrumple, i have a better understanding of this now.
I'm trying to figure out why why no reply came from the DC via the kerberos protocol (with the help of your last link) - any further ideas?
It seems however that when this event (680) occurs, the users have left the computer 'locked' instead of logged off - this appears to be a factor.
We do have group policy and wsus set up and now, scheduled tasks (the problem was present before we set up the tasks)
Any other reasons Why these account logon auths above be happening out of hours? I did see one event id 612 (Audit Policy change) on a client PC out of hours so, Would all of this be just because of an automatic gpupdate? Although the times do not match up.
To answer your first question:
On the security logs on the server, there are Success audits before and afterwards for many machines on the network
(Event IDs 673 and 674 as shown below)
The user on this is SYSTEM and not the users login ID so i wasn't too worried about this at the time.
__________
EventID: 673
Category: Account Logon
User: NT Authority\SYSTEM
Computer: SNN01
Service Ticket Request:
User Name: SNN06$@SNN.LOC
User Domain: SNN.LOC
Service Name: SNN01$
Service ID: SNN\SNN01$
Ticket Options: 0x40810000
Ticket Encryption Type: 0x17
Client Address: 192.168.1.216
Failure Code: -
Logon GUID: {448f8589-4940-4d55-70c5-6
Transited Services: -
__________
EventID: 674
Category: Account Logon
User: NT Authority\SYSTEM
Computer: SNN01
Service Ticket Renewed:
User Name: MARKETING02$@SNN.LOC
User Domain: SNN.LOC
Service Name: krbtgt
Service ID: SNN\krbtgt
Ticket Options: 0x2
Ticket Encryption Type: 0x17
Client Address: 192.168.1.48
__________
While we're here, are these particular logons kerberos logons so?
Also, this may not be related but within a minute after event 680 on the server, there are Application and System events on the client PC itself:
App error: event 1030 (Windows cannot query for the list of Group Policy objects. A nessage that describes the reason for this was previously logged by the policy engine). I looked back and saw event 1058 (Amoungst others) that suggested that a file (gpt.ini) in the Default Domain Policy folder could not be accessed.
Sys warn: event 40961 The Security System could not establish a secured connection with the server ldap/SNN01.snn.loc@snn.loc
Sorry for the long winded reply!
Thanks again in Advance,
windylad
Thanks for your help also richrumple, i have a better understanding of this now.
I'm trying to figure out why why no reply came from the DC via the kerberos protocol (with the help of your last link) - any further ideas?
It seems however that when this event (680) occurs, the users have left the computer 'locked' instead of logged off - this appears to be a factor.
We do have group policy and wsus set up and now, scheduled tasks (the problem was present before we set up the tasks)
Any other reasons Why these account logon auths above be happening out of hours? I did see one event id 612 (Audit Policy change) on a client PC out of hours so, Would all of this be just because of an automatic gpupdate? Although the times do not match up.
To answer your first question:
On the security logs on the server, there are Success audits before and afterwards for many machines on the network
(Event IDs 673 and 674 as shown below)
The user on this is SYSTEM and not the users login ID so i wasn't too worried about this at the time.
__________
EventID: 673
Category: Account Logon
User: NT Authority\SYSTEM
Computer: SNN01
Service Ticket Request:
User Name: SNN06$@SNN.LOC
User Domain: SNN.LOC
Service Name: SNN01$
Service ID: SNN\SNN01$
Ticket Options: 0x40810000
Ticket Encryption Type: 0x17
Client Address: 192.168.1.216
Failure Code: -
Logon GUID: {448f8589-4940-4d55-70c5-6
Transited Services: -
__________
EventID: 674
Category: Account Logon
User: NT Authority\SYSTEM
Computer: SNN01
Service Ticket Renewed:
User Name: MARKETING02$@SNN.LOC
User Domain: SNN.LOC
Service Name: krbtgt
Service ID: SNN\krbtgt
Ticket Options: 0x2
Ticket Encryption Type: 0x17
Client Address: 192.168.1.48
__________
While we're here, are these particular logons kerberos logons so?
Also, this may not be related but within a minute after event 680 on the server, there are Application and System events on the client PC itself:
App error: event 1030 (Windows cannot query for the list of Group Policy objects. A nessage that describes the reason for this was previously logged by the policy engine). I looked back and saw event 1058 (Amoungst others) that suggested that a file (gpt.ini) in the Default Domain Policy folder could not be accessed.
Sys warn: event 40961 The Security System could not establish a secured connection with the server ldap/SNN01.snn.loc@snn.loc
Sorry for the long winded reply!
Thanks again in Advance,
windylad
NTLM/LM authentication is used for printer and network share connections, Kerberos is only used for domain login, like unlocking the pc and or signing into the pc initially. When you connect to a network share, access files/folders on that share NTLM/LM auth is used.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/kerberos.mspx ( I don't agree with this papers contentions about ntlm/lm being used in an all AD envronment, I've got a test lab that is all 2003 servers, nothing else, and ntlm is defiantly still used by default, I'm sure I can change it to just kerb...)
http://www.eventid.net/ might help you better understand some of what's going on.
-rich
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/kerberos.mspx ( I don't agree with this papers contentions about ntlm/lm being used in an all AD envronment, I've got a test lab that is all 2003 servers, nothing else, and ntlm is defiantly still used by default, I'm sure I can change it to just kerb...)
http://www.eventid.net/ might help you better understand some of what's going on.
-rich
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Forced accept.
Computer101
EE Admin
Computer101
EE Admin
http://support.microsoft.com/kb/305822 - what OS and servicepack are the clients running?