We help IT Professionals succeed at work.

Pre login failed

I have a XP box that Pre-authentication failed:
 
 
 User Name:
 WS-DOCOFFICE-1$
 
 
 User ID:
 HPVC\WS-DOCOFFICE-1$
 
 
 Service Name:
 krbtgt/HPVC.LOCAL
 
 
 Pre-Authentication Type:
 0x0
 
 
 Failure Code:
 0x19
 
 
 Client Address:
 192.168.16.29

Any idea why?
 
Comment
Watch Question

Author

Commented:


Summary for HPVC-SERVER

 


 

Server has been running: 33 days and 17 hours


Server Specifications
Details


Performance Summary
Details


Top Processes
Details


Backup: Did not run
Details


Auto-started Services Not Running: 3
Details


Critical Alerts: 1
Details


Critical Errors in the Event Logs: 52
Details




Details of HPVC-SERVER



--------------------------------------------------------------------------------



Server Specifications



Operating System: Microsoft(R) Windows(R) Server 2003 for Small Business Server Service Pack 2

Processor: Intel(R) Xeon(TM) CPU 3.40GHz, Intel(R) Xeon(TM) CPU 3.40GHz

Frequency: 3.4 GHz, 3.4 GHz

Amount of RAM: 4096 MB




Performance Summary



Performance Counters
Today
Last Month
Rate of Growth

Memory in use
3,807 MB
2,693 MB
41 %

Free disk space (C:)
35,059 MB
37,109 MB
-6 %

Busy disk time (0 C:)
9 %
5 %
71 %

CPU Use (0)
7 %
78 %
-91 %

CPU Use (1)
7 %
34 %
-80 %




Top 5 Processes by Memory Usage



Process Name - ID
Memory Usage

sqlservr - 2044
1,269 MB





store - 872
565 MB





dbsrv7 - 5732
262 MB





sqlservr - 1896
208 MB





w3wp - 7732
156 MB








Top 5 Processes by CPU Usage



Process Name - ID
CPU Time

TrueImageService - 7188
13.7 %





svchost - 1012
1.3 %





FileAgent - 4268
1.2 %





System - 4
1.1 %





FileAgent - 3492
0.9 %








Backup



Result
Last Occurrence

Small Business Server Backup was not scheduled to run in the last 24 hours.
Not applicable




Auto-started Services Not Running



Service Name

Ati HotKey Poller

Fax

SQLAgent$SBSMONITORING

Total auto-started services not running: 3

In normal conditions, these services should be running. For details, it is recommended that you review errors in the Event log related to the service.




Critical Alerts



Issue
Last Occurrence
Total Occurrences

Allocated Memory
5/20/2010 2:17 PM
1

A large amount of memory is committed to applications and processes. Consistently high memory usage can cause performance problems.

To determine which processes and applications are using the most memory, use Task Manager. Monitor the activity of these resources over a few days. If they continue to use a high level of memory and are less critical processes or services, try stopping and then restarting them.

You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.




Critical Errors in Application Log



There were no critical events in the Application Log in the last 24 hours.




Critical Errors in Directory Service Log



There were no critical events in the Directory Service Log in the last 24 hours.




Critical Errors in DNS Server Log



There were no critical events in the DNS Server Log in the last 24 hours.




Critical Errors in File Replication Service Log



There were no critical events in the File Replication Service Log in the last 24 hours.




Critical Errors in Security Log



Source
Event ID
Last Occurrence
Total Occurrences

Security
675
5/21/2010 4:18 AM
42 *

Pre-authentication failed:


User Name:
WS-DOCOFFICE-1$


User ID:
HPVC\WS-DOCOFFICE-1$


Service Name:
krbtgt/HPVC.LOCAL


Pre-Authentication Type:
0x0


Failure Code:
0x19


Client Address:
192.168.16.29





Source
Event ID
Last Occurrence
Total Occurrences

Security
673
5/21/2010 3:53 AM
3 *

Service Ticket Request:


User Name:



User Domain:



Service Name:



Service ID:
-


Ticket Options:
0x2


Ticket Encryption Type:
-


Client Address:
192.168.16.33


Failure Code:
0x20


Logon GUID:
-


Transited Services:
-





Source
Event ID
Last Occurrence
Total Occurrences

Security
534
5/20/2010 11:30 PM
1

Logon Failure:


Reason:
The user has not been granted the requested


logon type at this machine


User Name:
Administrator


Domain:
HPVC


Logon Type:
4


Logon Process:
Advapi


Authentication Package:
Negotiate


Workstation Name:
HPVC-SERVER


Caller User Name:
HPVC-SERVER$


Caller Domain:
HPVC


Caller Logon ID:
(0x0,0x3E7)


Caller Process ID:
1468


Transited Services:
-


Source Network Address:
-


Source Port:
-





Source
Event ID
Last Occurrence
Total Occurrences

Security
529
5/20/2010 8:15 PM
1

Logon Failure:


Reason:
Unknown user name or bad password


User Name:
administrator


Domain:
72.77.174.74


Logon Type:
3


Logon Process:
NtLmSsp


Authentication Package:
NTLM


Workstation Name:
IDC-991D9E0F626


Caller User Name:
-


Caller Domain:
-


Caller Logon ID:
-


Caller Process ID:
-


Transited Services:
-


Source Network Address:
121.14.213.86


Source Port:
2586





Source
Event ID
Last Occurrence
Total Occurrences

Security
680
5/20/2010 8:15 PM
1

Logon attempt by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account:
administrator

Source Workstation:
IDC-991D9E0F626

Error Code:
0xC000006A





Source
Event ID
Last Occurrence
Total Occurrences

Security
560
5/20/2010 9:31 AM
2 *

Object Open:


Object Server:
SC Manager


Object Type:
SERVICE OBJECT


Object Name:
WinHttpAutoProxySvc


Handle ID:
-


Operation ID:
{0,3136601780}


Process ID:
496


Image File Name:
C:\WINDOWS\system32\services.exe


Primary User Name:
HPVC-SERVER$


Primary Domain:
HPVC


Primary Logon ID:
(0x0,0x3E7)


Client User Name:
NETWORK SERVICE


Client Domain:
NT AUTHORITY


Client Logon ID:
(0x0,0x3E4)


Accesses:
Query status of service


Start the service


Query information from service





Privileges:
-


Restricted Sid Count:
0


Access Mask:
0x94





* The text shown is for the most recent occurrence of this event. For more information, see the Event log.



Critical Errors in System Log



Source
Event ID
Last Occurrence
Total Occurrences

Service Control Manager
7011
5/21/2010 2:07 AM
1

Timeout (30000 milliseconds) waiting for a transaction response from the NtFrs service.





Source
Event ID
Last Occurrence
Total Occurrences

W32Time
29
5/20/2010 1:40 PM
1

The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.





Critical Errors in Internet Explorer Log



There were no critical events in the Internet Explorer Log in the last 24 hours.




Critical Errors in Windows PowerShell Log



There were no critical events in the Windows PowerShell Log in the last 24 hours.




Critical Errors in Microsoft-Windows-Forwarding/Operational Log



There were no critical events in the Microsoft-Windows-Forwarding/Operational Log in the last 24 hours.

Open in new window

Commented:
Re: the pre-authentication failed, there's an Experts Exchange article that suggests that it is a username/password error and is not critical unless it is happening often: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23200106.html.

Commented:
Secondarily, you should setup a time server on your domain controller.
From http://support.microsoft.com/kb/816042
Configuring the Windows Time service to use an external time source

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
            Modify the Type entry & change to “NTP” without the quotes

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
            Change the AnnounceFlags to 5

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
            Change Enabled to 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
            Change NtpServer to “tock.usno.navy.mil,0x1” without the quotes

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
            Change SpecialPollInterval to 900 decimal

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection
            Change MaxPosPhaseCorrection to 3600 decimal

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection
            Change MaxNegPhaseCorrection to 3600 decimal

From the Command Prompt:
net stop w32time && net start w32time

Once this is working, publish the time server IP Address in your DHCP scope (004):

Commented:
so regarding my first comment, ignore it.  The page referenced in the EE article is no longer online and the article itself has a different error than yours.

How often do you get that error and do you get it only for the one host?  Is the host (ip address 192.168.16.29) a domain controller?

Commented:
If this is a domain controller, it could be if you've got windows vista or windows 7 clients on the domain trying to use AES encryption to authenticate the login message.  Windows 2003 does not support AES Encryption: http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/4db3bb1a-5cdf-4874-b58f-f3cbba0ea80a

The article goes further to say that you can enter the following registry key on the Vista (or newer) workstations to force a lesser encryption type:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Name: DefaultEncryptionType
Type: REG_DWORD
Value: 23 (dec) or 0x17 (hex)

Reboot the computers for the change to take effect.

Author

Commented:
This is just one workstation of three that can't access the server.

Commented:
What version of Windows on the workstation?  
Can you verify the DNS Settings on the workstation and ensure they are set to an Active Directory DNS Server?  
Can you ping the server by name?  
Can you ping the server by IP Address?
Can you try to remove and re-add one of the workstations from the domain?

Author

Commented:
Why use an external time source?
Commented:
That's to get rid of that w32time error message from your original post.  The time source will sync the server with the "atomic clock".  Then the server will be setup as an authoritative time server for your domain that you can give out in DHCP settings to the clients.  All workstations and servers will be sync'd.  I have seen issues with servers and workstations having problems because of clock skew.  Not that there is any evidence that this instance is due to that but it was just a consideration I threw in because of errors shown in your original post.

Author

Commented:
Thank you for all the help, I will try all of this tomorrow at the office.

Author

Commented:
It is fixed, thank you.