Link to home
Start Free TrialLog in
Avatar of amnhtech
amnhtechFlag for United States of America

asked on

Pre-Authentication Failure error code 0x19

I am getting thousands of messages daily for two accounts where the security logs show pre-authentication failures with failure code 0x19.  The odd thing is that despite of this the accounts do not get locked out eventhough I have a policy that accounts lock out after 3 failed logon attempts and they stay locked until an administrator unlocks it.  Does anyone have any ideas on what is causing this and how to resolve it?
Avatar of thenone
thenone
it sounds like you have a service running with these accounts and the password has chnaged. If that is the case you would recieve this error over and over again.
Avatar of amnhtech
amnhtech
Flag of United States of America image

ASKER

I thought of these since these are service accounts but the passwords have not changed.  When looking at the account properties the "must change password on next logon" is not set.  Also these accounts are set to password never changes.
Avatar of thenone
thenone
is this happening on the server or a workstation?
Avatar of thenone
thenone
can you post the error log
Avatar of amnhtech
amnhtech
Flag of United States of America image

ASKER

I am getting the errors in the security log on the DC.  I redirect my logs to a syslog server so here are a few sample lines in plain text format. These are two sample lines in my logs.  Sometimes it is this username and other times there is another username.  The Application that is dependent on this service continues to function.

2009-09-30 08:38:04,Auth.Error,172.16.8.51,Sep 30 08:38:02 domaincontroller security[failure] 675 NT AUTHORITY\SYSTEM Pre-authentication failed: <009>User Name:<009>RTCService <009>User ID:%{S-1-5-21-xxxxxxx <009>Service Name:<009>krbtgt/DOMAINNAME <009>Pre-Authentication Type:<009>0x0 <009>Failure Code:<009>0x19 <009>Client Address:<009>172.16.8.115
2009-09-30 08:38:04,Auth.Error,172.16.8.51,Sep 30 08:38:02 domaincontroller security[failure] 672 NT AUTHORITY\SYSTEM Authentication Ticket Request: <009>User Name:<009><009>RTCService <009>Supplied Realm Name:<009>DOMAINNAME <009>User ID:<009><009><009>- <009>Service Name:<009><009>krbtgt/DOMAINNAME <009>Service ID:<009><009>- <009>Ticket Options:<009><009>0x40810010 <009>Result Code:<009><009>0x17 <009>Ticket Encryption Type:<009>- <009>Pre-Authentication Type:<009>- <009>Client Address:<009><009>172.16.8.115 <009>Certificate Issuer Name:<009> <009>Certificate Serial Number:<009> <009>Certificate Thumbprint:<009>
Avatar of thenone
thenone
this is happening on the clients machine with a service that is connected on that machine.
Avatar of amnhtech
amnhtech
Flag of United States of America image

ASKER

If I understand your question correctly, yes.  The service runs on a member server of the domain.  It attempts to authenticate periodically and this generates the log entry on the DC.  However, the service on the member server continues to run and the application appears to function properly
Avatar of thenone
thenone
correct
Avatar of thenone
thenone
I had this problem with a user that was no longer with the company.
Avatar of amnhtech
amnhtech
Flag of United States of America image

ASKER

the account definitely exists in AD and wouldnt I get an error more along the lines of User does not exist or something.  And if the account did not exist then the service should no longer run and the app should fail no?
ASKER CERTIFIED SOLUTION
Avatar of thenone
thenone
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of thenone
thenone
You will have to restart the services.