• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4501
  • Last Modified:

Failure Audit Event ID: 673 on DC for specfic user every 30 seconds.

Failure Audit Event ID: 673 on my DC for a specfic user every 30 seconds.

Server/DC is:
2k3 SP2 x64.

Client/User is:
XP SP3 x86.
Not locked out.
Has not recently and does not need to change their NT password.



Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      673
Date:            2/12/2009
Time:            2:32:23 PM
User:            NT AUTHORITY\SYSTEM
Computer:      [DC]
Description:
Service Ticket Request:
       User Name:            [user@domain.com]
       User Domain:            [domain]
       Service Name:            [user's name]
       Service ID:            -
       Ticket Options:            0x40800000
       Ticket Encryption Type:      -
       Client Address:            x.x.24.82
       Failure Code:            0x1B
       Logon GUID:            -
       Transited Services:      -
0
WilkinsIT
Asked:
WilkinsIT
  • 16
  • 7
  • 4
  • +3
1 Solution
 
WilkinsITAuthor Commented:
Your solution seems to apply to a Win2k Kerberos issue.  The hotfix is from 2005...  I saw this on the eventviwer site as well but disregarded it as I am not running Win2k.
0
 
Donald StewartNetwork AdministratorCommented:
Have you tried  forcing Kerberos to use TCP: http://support.microsoft.com/kb/244474
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Donald StewartNetwork AdministratorCommented:
0
 
Donald StewartNetwork AdministratorCommented:
0
 
WilkinsITAuthor Commented:
I've reviewed that documentation and wasn't able to find anything that pertained:
1st Link:  Talked about a failed service logon due to bad credentials.
2nd Link:  Talked about different Kerberos errors.  The problem is that the user in question is not having any authentication problems or otherwise limitations due to this error on the DC.
Still no luck, anything else that you'd all recommend?
0
 
Donald StewartNetwork AdministratorCommented:
Your specific error
"0x1B - KDC_ERR_MUST_USE_USER2USER: Server principal valid for user2user only"
 
 resolution here:
Service Logons Fail Due to Incorrectly Set SPNs
0
 
WilkinsITAuthor Commented:
I've read through that doc and I'm still confused.  This fix doesn't seem to apply to my situation.  This fix is to resolve a Kerberos issue with a service.
Perhaps I just don't get the concept behind the KB.  Wouldn't I be having issues with all accounts or at least a "service" if what I've read in this KB is correct?
Is the "service" referenced the user's logon token?  Her user account isn't attached to any services on any server.
 
0
 
Donald StewartNetwork AdministratorCommented:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      673
Date:            2/12/2009
Time:            2:32:23 PM
User:            NT AUTHORITY\SYSTEM
Computer:      [DC]
Description:
Service Ticket Request:
       User Name:            [user@domain.com]
       User Domain:            [domain]
       Service Name:            [user's name]
       Service ID:            -
       Ticket Options:            0x40800000
       Ticket Encryption Type:      -
       Client Address:            x.x.24.82
       Failure Code:            0x1B
"0x1B - KDC_ERR_MUST_USE_USER2USER: Server principal valid for user2user only"

http://technet.microsoft.com/en-us/library/cc738673.aspx


You have a kerberos issue

Troubleshooting Kerberos Errors
0
 
WilkinsITAuthor Commented:
I've been looking everywhere that I can, reading KBs, etc and I still can't track this down.
Ok, I get it, it's a Kerberos issue.  But based on what I've read that's too broad of a clasification.
Is there a way to determine what service could be missing a SPN?  This makes no sense to me as this user is the only user that is having this problem.  The service listed in the event log is her logon name....
Any further help or suggestions?
0
 
Asta CuCommented:
It turned out that there was a problem with our fire walls reference to the DNS. The DNS changed also from SErver 'A' to Server 'B' but we didn't make the change in our Fire wall. Once we changed the reference in our Firewall from the IP for the Server 'A' to the IP for Server 'B', everything started working again. ..... source link for more, if applicable here:
http://social.msdn.microsoft.com/forums/en-US/sqldataaccess/thread/bc6bce95-f861-4bc5-9a4f-ca038480c5a9/
How current is server 2003 with updates?  Also end-user stations?
Curious what happened when you checked this out - results?  Synopsis and link follow and you'll note we're at the server level here
 Event ID 677 and event ID 673 audit failure messages are repeatedly logged to the Security log of domain controllers that are running Windows 2000 and Windows Server 2003
http://support.microsoft.com/kb/824905
 
0
 
WilkinsITAuthor Commented:
Thank you for responding.  
Our Firewall does not control our DNS like apparently yours does.  Our DC does all DNS routing for the LAN and WAN.
Our servers are 2k3 SP2 + all updates.
Desktops are up to date as well.  Mix of XP SP2/3 and 2k SP4.
From that KB:
1.  I have a native 2k3 domain.
2.  The hotfix suggested seems to "suppress" the events and doesn't actually resolve the problem that is causing those events.  It's also for Windows 2000 Service Pack 3 (SP3).
3.  The only other item in that KB talks about a timeout increase via reg hack.
Anything else you'd suggest?
0
 
WilkinsITAuthor Commented:
NOTE:  User that is having the problem is XP SP3 + all updates.  Server is 2k3 SP2 x64 RC2 (DC).
0
 
bedanecCommented:
Hi!
I have exactly the same mistake on my DC. I am looking forward to see hove to solve this problem.
0
 
WyoBoltCommented:
Getting the same 673 failure events with Ticket Options 0x40800000 and Failure Code 0x1B.

Hundreds of these failures are generated daily on two different local DCs from four users of a database application.  

Differences from the original poster are that the events are being generated when users of a database application (custom front-end, SQL 2005 back end) do anything in the application.  The 673 failures note the service name as the name of the application - 'ACCUAPP' (not the real name) - but there is not an 'ACCUAPP' service on the database server or the DCs.  The 673 failure events are followed immediately in the logs by 673 success events.  The application works fine and users see no errors from Windows or the application.  Application developer says the problem is with my network not their application (nice, I know).

Workstations are XP SP3 fully patched
DCs are 2003 SP2 Standard Edition
SQL Server is 2003 SP2 Standard Edition, member server with MS SQL 2005

I'm new to the forums - hopefully I'm adding information to an existing problem and not stealing someone's thread.  Just printed the 60 page MS Troubleshooting Kerberos Errors document.  Will post back if i find a solution.
0
 
Donald StewartNetwork AdministratorCommented:
WilkinsIT
 
Have you tried  forcing Kerberos to use TCP: http://support.microsoft.com/kb/244474

0
 
WilkinsITAuthor Commented:
Forcing Kerberos to use TCP has not resolved this issue.  Sorry it has taken me so long to respond...
It looks like there are a few others with this issue as well.  Are there any other experts out there that might have suggestions?
0
 
WilkinsITAuthor Commented:
This is still an active and pressing issue that I am trying to resolve.  I would like some continued suggestions if I can get any from your community/experts.
0
 
WyoBoltCommented:
This is still an active issue with me as well.  I am working with the software vendor to try and determine the source, but so far no luck.  Please do not close this issue, it is not abandoned.
0
 
WyoBoltCommented:
This is silly.  So we're going to lose all of the information that's in this article, the steps that we've tried to resolve it?  WHY?  Why can't it live as an unanswered question?  What is the new article ID?
0
 
WilkinsITAuthor Commented:
It seems rediculous to me as well but I've gone ahead and recreated the question as recommeneded.  I used the exact same info in that thread that I did in this one...
Hopefully we'll see some action with my new bright and shiny posting!!!
0
 
WilkinsITAuthor Commented:
So because no one wants to take the time right now to respond to my question you are deleting it?
Why am I paying for this service again?
0
 
WyoBoltCommented:
Yeah, so a 'call for experts' went out on Saturday of Labor Day weekend.  No one responded between then and this morning so the post is being deleted.  Makes sense to me.

How do we complain about overzealous moderators?  In life and in IT there are questions which haven't been answered.  Why can't this post exist as an unanswered question?

How do we complain about overzealous moderators?
0
 
WilkinsITAuthor Commented:
Good point.  I'm not sure about you but I wasn't thinking about IT the whole weekend and I'm sure the "experts" weren't either.
Not only that but I'm probably going to be opening a ticket with Microsoft.  
If this happens I WILL find the answer and I will post my results here...well assuming that they don't just delete my question.
0
 
MightySWCommented:
Hi, what is running on this workstation?  What services are AD dependent?  Anything out of the ordinary apps or running that require LDAP auth (for example, does it have a printer or scanner attached to it with print/scanning services shared through AD?)

Also, check the time in your realm (domain) and check the time on that workstation.  Ensure that the BIOS isn't driving that system's clock off.

What is happening here is that something with the client is constantly trying to access a resource (some where on your domain) and it is using the resource and then requesting yet another ticket, but it can't get one because the previous service ticket still hasn't expired.  Again, you will usually see this with services that are specific to a user's application like printing / print sharing or SNMP requests to that workstation.  

A few things you can try:  check the services and see what is running.  Determine if that workstation has another purpose other than being a place for someone to collect mail and work with documents, etc, goto msconfig and click on the startup tab and see what is running at startup.  This may be an old program, or a service running with old credentials.  You need to ensure that all service accounts are up to date.  

Please post back.

HTH
0
 
WilkinsITAuthor Commented:
MightySW -
1.  MS Office 2k3, Network Printers, 1 local printer, a web based HR program that authenticates to another domain and site, AV, nothing out of the ordinary.
2.  I don't have any AD dependent services running.
3.  No apps that are AD dependent other than file sharing and Outlook.
4.  I've ensured that time is being enforced on the client.  A net time shows proper GP enforcement as well.  Also checked gpresult.
5.  Interesting point, I don't have any SNMP services running.  Her local printer isn't shared out over the network.
6.  All accounts on services are running:  Local System or Network Service.  I didn't see anything out of the ordinary services wise.  I also checked msconfig/hijackthis and didn't see anything strange there.
I appreciate your help here, I look forward to further feedback.
0
 
MightySWCommented:
I'll tell you right now that Printers are notorious for this type of behavior.  Granted that it is not shared so this may not be the issue.

Have you logged in with another user (new profile) to see if the 673 is as repetitive or goes away completely?

Have you run wireshark from a hub in her office or directly off her workstation to see if there are corresponding packets that are processed the same time that the event fires?

Let me know.
0
 
WilkinsITAuthor Commented:
1.  I'll go ahead and check another account on her system.  I haven't done that yet.  It's hard to get to her machine because of what she does.
2.  I haven't done any packet sniffing on her system but it may come down to that.  Again, I'll try tomorrow at lunch and see if I can get any results from either of these two suggestions.
Thanks again!
0
 
Asta CuCommented:
I'm pleased you have additional expertise here and apologize for my lack of presence in this question.  This is not my area of expertise, so didn't want to clog the Q with research and guesses.  I did think this link http://support.microsoft.com/kb/824905  sounded quite relevant.  At the bottom is input area for feedback on effectiveness of Microsoft's guidance and feedback options on your issue.
Best of luck.
Asta
0
 
WilkinsITAuthor Commented:
Thank you astaec - I have reviewed that KB previously and found that the circumstances did not apply.
MightySW - I have been put off temporarily by my user and will get to her system next week.  Thanks for the patience and assistance.
0
 
MightySWCommented:
LOL, I understand.
0
 
WilkinsITAuthor Commented:
I was finally able to spend some time on the client's system.
Some information and changes that I made:
1.  Disabled firewall service (I have the firewall disabled through GP anyway).
2.  Completed several windows updates (damn wsus doesn't update installer...grrr.)
3.  Shared and unshared local printer.
4.  Completed a netdiag = all clear.
5.  Forced a gpupdate and net time = all clear.
6.  Deleted an HP printer service and removed an HP startup app.
7.  Monitored Wireshark for sometime and didn't see anything except for:    
Wireshark Capture:
 
"126","13.112413","10.36.24.82","10.36.1.10","TCP","infocrypt > netbios-ssn [ACK] Seq=1 Ack=2 Win=64248 [TCP CHECKSUM INCORRECT] Len=0"
Here are some possibly applicable event ids:

Event Type:      Failure Audit
Event Source:   Security
Event Category:            Detailed Tracking
Event ID:          861
Date:                9/22/2009
Time:                7:51:37 AM
User:                NT AUTHORITY\SYSTEM
Computer:         FQ0LPC1
Description:
The Windows Firewall has detected an application listening for incoming traffic.
 
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 756
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 500
Allowed: No
User notified: No
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------------
 
Event Type:      Failure Audit
Event Source:   Security
Event Category:            Detailed Tracking
Event ID:          861
Date:                9/22/2009
Time:                7:51:42 AM
User:                NT AUTHORITY\NETWORK SERVICE
Computer:         FQ0LPC1
Description:
The Windows Firewall has detected an application listening for incoming traffic.
 
Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1212
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 55853
Allowed: No
User notified: No
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
-------------------------
 
Event Type:      Failure Audit
Event Source:   Security
Event Category:            Detailed Tracking
Event ID:          861
Date:                9/22/2009
Time:                7:51:57 AM
User:                NT AUTHORITY\NETWORK SERVICE
Computer:         FQ0LPC1
Description:
The Windows Firewall has detected an application listening for incoming traffic.
 
Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1212
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 58666
Allowed: No
User notified: No
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
------------------------
 
Event Type:      Failure Audit
Event Source:   Security
Event Category:            Detailed Tracking
Event ID:          861
Date:                9/22/2009
Time:                7:52:11 AM
User:                NT AUTHORITY\LOCAL SERVICE
Computer:         FQ0LPC1
Description:
The Windows Firewall has detected an application listening for incoming traffic.
 
Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1380
User account: LOCAL SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1900
Allowed: No
User notified: No
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
WilkinsITAuthor Commented:
Well one of my previous steps resolved the issue.  Unfortuantely I completed several before rebooting the system.
I am no longer receiving the audit failures!
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 16
  • 7
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now