We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
COURSE of the MONTH
8 days, 3 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Disabling Kerberos Preauthentication
Posted on 2010-11-15
The Active Directory KDC enables Kerberos preauthentication and I keep getting the event "Pre-authentication Failed - outside work hours 675” to my centralized events manager every time a user login.
Pre-authentication failed:
User Name: UserX
User ID: TULSA\UserX
Service Name: krbtgt/DomainName
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 192.168.1.X
Pre-authentication failed:
User Name: UserX
User ID: Domain/UserX
Service Name: krbtgt/Domain
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 192.168.1.X
I noticed that there are two error codes 0x19 and 0x18 and two preauthenticatio types: 0x0 and 0x2. What is the difference these two events? How can I stop them?
Are there any security risks behind disabling Kerberos Preauthentication on user accounts?
Please help me solve this issue.
Thanks
Abdellah
Pre-authentication failed:
User Name: UserX
User ID: TULSA\UserX
Service Name: krbtgt/DomainName
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 192.168.1.X
Pre-authentication failed:
User Name: UserX
User ID: Domain/UserX
Service Name: krbtgt/Domain
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 192.168.1.X
I noticed that there are two error codes 0x19 and 0x18 and two preauthenticatio types: 0x0 and 0x2. What is the difference these two events? How can I stop them?
Are there any security risks behind disabling Kerberos Preauthentication on user accounts?
Please help me solve this issue.
Thanks
Abdellah
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2
2-
2
- +2
8 Comments
Download this whitepaper about troubleshooting kerberos that lists a lot of the events http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7DFEB015-6043-47DB-8238-DC7AF89C93F1&displaylang=en
Looks like a bad password
Thanks
Mike
Looks like a bad password
Thanks
Mike
Hi AbdellahT
Event 675 is a locked account.
Please see the below link for a more comprehensive answer
http://forums.techarena.in/active-directory/997366.htm
Hope this helps
Event 675 is a locked account.
Please see the below link for a more comprehensive answer
http://forums.techarena.in/active-directory/997366.htm
Hope this helps
I'm assuming you are in a windows 2003 environment? Regardless a mix-match of OS's in older domain controllers can't cause the 0x19 failure. Microsoft cycles through the encryption type and if it doesn't match up it goes on to the next to support various versions. This is by design and is not to cause alarm, however, it does produce multiple 0x19 failures. In order to no longer receive them you must disable the kerberos authentication logging.
On another note, the 0x18 error code means Account disabled, expired or locked out. If it is in unison (via timestamp) to the 0x19's it's probably caused by the kerberos encryption. If it's not then I'd take a look at if that user is locked out or if the trust relationship between the workstation and server is out of sync. I've seen this numerous times, if the user is able to successfully authenticate yet you still get multiple 0x18 675 errors, you may just have to remove them from the domain and re-add them. Problem shouldn't re-occur.
In any case, here is more information on the pre-auth encryption and steps on how to disable if you choose to do so. I'd rather recommend if you have security monitoring software to write a custom query to skip alerting on 0x19 if needed in your environment. 0x18 is still useful.
http://www.loeding.eu/microsoft/90-error-event-id-675-with-0x19-error-code.html
On another note, the 0x18 error code means Account disabled, expired or locked out. If it is in unison (via timestamp) to the 0x19's it's probably caused by the kerberos encryption. If it's not then I'd take a look at if that user is locked out or if the trust relationship between the workstation and server is out of sync. I've seen this numerous times, if the user is able to successfully authenticate yet you still get multiple 0x18 675 errors, you may just have to remove them from the domain and re-add them. Problem shouldn't re-occur.
In any case, here is more information on the pre-auth encryption and steps on how to disable if you choose to do so. I'd rather recommend if you have security monitoring software to write a custom query to skip alerting on 0x19 if needed in your environment. 0x18 is still useful.
http://www.loeding.eu/microsoft/90-error-event-id-675-with-0x19-error-code.html
Event 675 is not just a bad password it can be, you have to look deeper at the actual status codes, logon types, ntlm error codes or whatever else you have available in the logs. I'll attach a quickref guide for you.
Event 675 on a domain controller indicates a
failed initial attempt to logon via Kerberos at a
workstation with a domain account usually due
to a bad password but the failure code indicates
exactly why authentication failed. See Kerberos
failure codes quickref.pdf
Event 675 on a domain controller indicates a
failed initial attempt to logon via Kerberos at a
workstation with a domain account usually due
to a bad password but the failure code indicates
exactly why authentication failed. See Kerberos
failure codes quickref.pdf
When you guys say Bad Password, do you mean is when a user failed to type the correct password? usually users mistype their password in the first login attempt, is then when this error is thrown?
Check the below link also.
http://www.windowsecurity.com/articles/Kerberos-Authentication-Events.html
http://www.windowsecurity.com/articles/Kerberos-Authentication-Events.html
Featured Post
Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies. Only from Platform Scholar.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s
ManageEngine
webinar, where attendees received a comprehensive look at the ma…
Are you ready to implement Active Directory best practices without reading 300+ pages?
You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month8 days, 3 hours left to enroll
765 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.