Solved

Disabling Kerberos Preauthentication

Posted on 2010-11-15
8
6,191 Views
Last Modified: 2012-08-13
The Active Directory KDC enables Kerberos preauthentication and I keep getting the event "Pre-authentication Failed - outside work hours 675” to my centralized events manager every time a user login.
Pre-authentication failed:
      User Name:      UserX
      User ID:            TULSA\UserX
      Service Name:      krbtgt/DomainName
      Pre-Authentication Type:      0x0
      Failure Code:      0x19
     
Client Address:      192.168.1.X

Pre-authentication failed:
      User Name:      UserX
      User ID:            Domain/UserX
      Service Name:      krbtgt/Domain
      Pre-Authentication Type:      0x2
      Failure Code:      0x18
     
Client Address:      192.168.1.X


I noticed that there are two error codes 0x19 and 0x18 and two preauthenticatio types: 0x0 and 0x2. What is the difference these two events? How can I stop them?

Are there any security risks behind disabling Kerberos Preauthentication on user accounts?

 Please help me solve this issue.

Thanks

Abdellah
0
Comment
Question by:AbdellahT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 125 total points
ID: 34138042
Download this whitepaper about troubleshooting kerberos that lists a lot of the events   http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7DFEB015-6043-47DB-8238-DC7AF89C93F1&displaylang=en

Looks like a bad password

Thanks
Mike
0
 

Author Comment

by:AbdellahT
ID: 34138054
Thanks for your reply.

What's a bad password?
0
 
LVL 3

Assisted Solution

by:danora
danora earned 125 total points
ID: 34138082
Hi AbdellahT

Event 675 is a locked account.

Please see the below link for a more comprehensive answer

http://forums.techarena.in/active-directory/997366.htm

Hope this helps
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 5

Assisted Solution

by:DigitalTechy
DigitalTechy earned 125 total points
ID: 34138089
I'm assuming you are in a windows 2003 environment?  Regardless a mix-match of OS's in older domain controllers can't cause the 0x19 failure.  Microsoft cycles through the encryption type and if it doesn't match up it goes on to the next to support various versions.  This is by design and is not to cause alarm, however, it does produce multiple 0x19 failures.  In order to no longer receive them you must disable the kerberos authentication logging.  

On another note, the 0x18 error code means Account disabled, expired or locked out.  If it is in unison (via timestamp) to the 0x19's it's probably caused by the kerberos encryption.  If it's not then I'd take a look at if that user is locked out or if the trust relationship between the workstation and server is out of sync.  I've seen this numerous times, if the user is able to successfully authenticate yet you still get multiple 0x18 675 errors, you may just have to remove them from the domain and re-add them.  Problem shouldn't re-occur.  

In any case, here is more information on the pre-auth encryption and steps on how to disable if you choose to do so.  I'd rather recommend if you have security monitoring software to write a custom query to skip alerting on 0x19 if needed in your environment. 0x18 is still useful.

http://www.loeding.eu/microsoft/90-error-event-id-675-with-0x19-error-code.html
0
 
LVL 5

Expert Comment

by:DigitalTechy
ID: 34138196
Event 675 is not just a bad password it can be, you have to look deeper at the actual status codes, logon types, ntlm error codes or whatever else you have available in the logs.  I'll attach a quickref guide for you.

Event 675 on a domain controller indicates a
failed initial attempt to logon via Kerberos at a
workstation with a domain account usually due
to a bad password but the failure code indicates
exactly why authentication failed. See Kerberos
failure codes quickref.pdf
0
 

Author Comment

by:AbdellahT
ID: 34139076
When you guys say Bad Password, do you mean is when a user failed to type the correct password? usually users mistype their password in the first login attempt, is then when this error is thrown?

0
 
LVL 24

Expert Comment

by:Awinish
ID: 34143156
0
 
LVL 24

Assisted Solution

by:Awinish
Awinish earned 125 total points
ID: 34143164
Bad password are the wrong password entered by user or tried by virus/worm to enter to the system for stealing information from the system
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
A hard and fast method for reducing Active Directory Administrators members.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question