Link to home
Create AccountLog in
Avatar of AbdellahT
AbdellahT

asked on

Disabling Kerberos Preauthentication

The Active Directory KDC enables Kerberos preauthentication and I keep getting the event "Pre-authentication Failed - outside work hours 675” to my centralized events manager every time a user login.
Pre-authentication failed:
      User Name:      UserX
      User ID:            TULSA\UserX
      Service Name:      krbtgt/DomainName
      Pre-Authentication Type:      0x0
      Failure Code:      0x19
     
Client Address:      192.168.1.X

Pre-authentication failed:
      User Name:      UserX
      User ID:            Domain/UserX
      Service Name:      krbtgt/Domain
      Pre-Authentication Type:      0x2
      Failure Code:      0x18
     
Client Address:      192.168.1.X


I noticed that there are two error codes 0x19 and 0x18 and two preauthenticatio types: 0x0 and 0x2. What is the difference these two events? How can I stop them?

Are there any security risks behind disabling Kerberos Preauthentication on user accounts?

 Please help me solve this issue.

Thanks

Abdellah
ASKER CERTIFIED SOLUTION
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of AbdellahT
AbdellahT

ASKER

Thanks for your reply.

What's a bad password?
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Event 675 is not just a bad password it can be, you have to look deeper at the actual status codes, logon types, ntlm error codes or whatever else you have available in the logs.  I'll attach a quickref guide for you.

Event 675 on a domain controller indicates a
failed initial attempt to logon via Kerberos at a
workstation with a domain account usually due
to a bad password but the failure code indicates
exactly why authentication failed. See Kerberos
failure codes quickref.pdf
When you guys say Bad Password, do you mean is when a user failed to type the correct password? usually users mistype their password in the first login attempt, is then when this error is thrown?

SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.