• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 582
  • Last Modified:

Thousands of 675 errors in DC event log

I am stumped on this one. We are getting thousands (>90,000) of 675 entries in the DC security event log constantly!

Symptoms:
There are 6-10 entries per second
There are around 100 entries per user in a row, then it seems to move onto the next user
There appears to be no pattern of which user it picks next - they are not in the same site OU, it's not in alphabetical order
All of the entries appear to be coming from a single client IP. Firstly we remove the original client from the network, but now it appears to have moved onto another client
There entries are only occuring on one site server, The other site servers on the same domain are not showing any similar messages
I've had a look at the logs on the client machine and they don't appear to be showing anything that would cause/instigate this many failed authentication attempts
I've checked all the accounts in AD and they are active and not expired
I've sync'd the time on the DC and the client


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            22/11/2010
Time:            04:33:08
User:            NT AUTHORITY\SYSTEM
Computer:      [siteDC]
Description:
Pre-authentication failed:
       User Name:      [username]
       User ID:            PIC\[username]
       Service Name:      krbtgt/[domain]
       Pre-Authentication Type:      0x2
       Failure Code:      0x18
       Client Address:      10.x.x.4


Any ideas/suggestions!?

All other research and possible resolutions have failed so far.
0
jonathonberg
Asked:
jonathonberg
  • 4
  • 4
  • 3
  • +1
1 Solution
 
iedenCommented:
Sounds like someone is trying to gain access by guessing passwords...
0
 
losipCommented:
Have you changed password complexity rules lately?
0
 
iedenCommented:
This behavior can occur if a user has a manually mapped and saved connection after a password change. Go to the affected users desktop and disconnect all drives. perhaps add the drive in question to the login script.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
losipCommented:
@ieden, that was my first thought but the OP is getting this on many different users and it's comparatively unlikely that they've all suddenly changed their passwords.
0
 
iedenCommented:
@losip, when you asked about password policy being changed, the thought then came that perhaps they did all change their password.
0
 
losipCommented:
Only if they went through and pre-expired all passwords forcing a change at next logon.  In my experience, the effect you mention only occurs when drives are mapped using explicit credentials - perhaps from machines that are not part of the domain.  Normal drive mappings with domain accounts don't usually do this on password chaneg unless the user changes his password from a machine other than the one with the mappings.  We had this with some Unix machines mapping SMB drives but not on the scale reported.
0
 
jonathonbergAuthor Commented:
The drive mapping idea did come to mind but it doesn't explain why it's cycling through different users, but reporting from the same client.

The strange things is that the users being reported have nothing to do with this client - they are not on the same site or in the same OU. It's almost as if something on the PC is cycling through LDAP and trying to logon using each user account it finds!?

I agree that the symptoms would match some kind of intrusion attack on the network?
0
 
losipCommented:
The other time I saw this was in a large organisation with separate server/account admin team to the IT Security/audit team.  A rogue admin had changed part of the account policies which he wasn't authorised to do and created a script to fill up the Security log until it cycled round and overflowed and covered up the audit event of his mis-deed!  Fortunately, due to our account policies and use of Operations Manager, he was thwarted.
0
 
jonathonbergAuthor Commented:
I think the next thing I will be doing is inspecting the client very closely to check that it's AV etc is up to date and that there is nothing malicious installed/running.

Some reports show it may be DNS issue, but if it was I don't see why it would be picking up random AD users and referring to this single client.
0
 
iedenCommented:
So how has it been going with this issue?
0
 
jonathonbergAuthor Commented:
Investigation eventually revealed it was the PGP edge protection client software throwing up a fault on a few workstations.  The workstations were attended to and the traffic ceased.  

Thanks to those who threw up suggestions.
0
 
TolomirAdministratorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now