Pre-Authentication Failure error code 0x19

amnhtech
amnhtech used Ask the Experts™
on
I am getting thousands of messages daily for two accounts where the security logs show pre-authentication failures with failure code 0x19.  The odd thing is that despite of this the accounts do not get locked out eventhough I have a policy that accounts lock out after 3 failed logon attempts and they stay locked until an administrator unlocks it.  Does anyone have any ideas on what is causing this and how to resolve it?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
it sounds like you have a service running with these accounts and the password has chnaged. If that is the case you would recieve this error over and over again.

Author

Commented:
I thought of these since these are service accounts but the passwords have not changed.  When looking at the account properties the "must change password on next logon" is not set.  Also these accounts are set to password never changes.

Commented:
is this happening on the server or a workstation?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
can you post the error log

Author

Commented:
I am getting the errors in the security log on the DC.  I redirect my logs to a syslog server so here are a few sample lines in plain text format. These are two sample lines in my logs.  Sometimes it is this username and other times there is another username.  The Application that is dependent on this service continues to function.

2009-09-30 08:38:04,Auth.Error,172.16.8.51,Sep 30 08:38:02 domaincontroller security[failure] 675 NT AUTHORITY\SYSTEM Pre-authentication failed: <009>User Name:<009>RTCService <009>User ID:%{S-1-5-21-xxxxxxx <009>Service Name:<009>krbtgt/DOMAINNAME <009>Pre-Authentication Type:<009>0x0 <009>Failure Code:<009>0x19 <009>Client Address:<009>172.16.8.115
2009-09-30 08:38:04,Auth.Error,172.16.8.51,Sep 30 08:38:02 domaincontroller security[failure] 672 NT AUTHORITY\SYSTEM Authentication Ticket Request: <009>User Name:<009><009>RTCService <009>Supplied Realm Name:<009>DOMAINNAME <009>User ID:<009><009><009>- <009>Service Name:<009><009>krbtgt/DOMAINNAME <009>Service ID:<009><009>- <009>Ticket Options:<009><009>0x40810010 <009>Result Code:<009><009>0x17 <009>Ticket Encryption Type:<009>- <009>Pre-Authentication Type:<009>- <009>Client Address:<009><009>172.16.8.115 <009>Certificate Issuer Name:<009> <009>Certificate Serial Number:<009> <009>Certificate Thumbprint:<009>

Commented:
this is happening on the clients machine with a service that is connected on that machine.

Author

Commented:
If I understand your question correctly, yes.  The service runs on a member server of the domain.  It attempts to authenticate periodically and this generates the log entry on the DC.  However, the service on the member server continues to run and the application appears to function properly

Commented:
correct

Commented:
I had this problem with a user that was no longer with the company.

Author

Commented:
the account definitely exists in AD and wouldnt I get an error more along the lines of User does not exist or something.  And if the account did not exist then the service should no longer run and the app should fail no?
Commented:
Here is what I suggest. Reset the password to the same password as it was and reconfigure the password doesn't expire.

Commented:
You will have to restart the services.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial