Solved

Thousands of 675 errors in DC event log

Posted on 2010-11-22
13
578 Views
Last Modified: 2013-11-05
I am stumped on this one. We are getting thousands (>90,000) of 675 entries in the DC security event log constantly!

Symptoms:
There are 6-10 entries per second
There are around 100 entries per user in a row, then it seems to move onto the next user
There appears to be no pattern of which user it picks next - they are not in the same site OU, it's not in alphabetical order
All of the entries appear to be coming from a single client IP. Firstly we remove the original client from the network, but now it appears to have moved onto another client
There entries are only occuring on one site server, The other site servers on the same domain are not showing any similar messages
I've had a look at the logs on the client machine and they don't appear to be showing anything that would cause/instigate this many failed authentication attempts
I've checked all the accounts in AD and they are active and not expired
I've sync'd the time on the DC and the client


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            22/11/2010
Time:            04:33:08
User:            NT AUTHORITY\SYSTEM
Computer:      [siteDC]
Description:
Pre-authentication failed:
       User Name:      [username]
       User ID:            PIC\[username]
       Service Name:      krbtgt/[domain]
       Pre-Authentication Type:      0x2
       Failure Code:      0x18
       Client Address:      10.x.x.4


Any ideas/suggestions!?

All other research and possible resolutions have failed so far.
0
Comment
Question by:jonathonberg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 7

Expert Comment

by:ieden
ID: 34187581
Sounds like someone is trying to gain access by guessing passwords...
0
 
LVL 9

Expert Comment

by:losip
ID: 34187690
Have you changed password complexity rules lately?
0
 
LVL 7

Expert Comment

by:ieden
ID: 34187733
This behavior can occur if a user has a manually mapped and saved connection after a password change. Go to the affected users desktop and disconnect all drives. perhaps add the drive in question to the login script.
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 
LVL 9

Expert Comment

by:losip
ID: 34187756
@ieden, that was my first thought but the OP is getting this on many different users and it's comparatively unlikely that they've all suddenly changed their passwords.
0
 
LVL 7

Expert Comment

by:ieden
ID: 34187797
@losip, when you asked about password policy being changed, the thought then came that perhaps they did all change their password.
0
 
LVL 9

Expert Comment

by:losip
ID: 34187838
Only if they went through and pre-expired all passwords forcing a change at next logon.  In my experience, the effect you mention only occurs when drives are mapped using explicit credentials - perhaps from machines that are not part of the domain.  Normal drive mappings with domain accounts don't usually do this on password chaneg unless the user changes his password from a machine other than the one with the mappings.  We had this with some Unix machines mapping SMB drives but not on the scale reported.
0
 
LVL 2

Author Comment

by:jonathonberg
ID: 34188060
The drive mapping idea did come to mind but it doesn't explain why it's cycling through different users, but reporting from the same client.

The strange things is that the users being reported have nothing to do with this client - they are not on the same site or in the same OU. It's almost as if something on the PC is cycling through LDAP and trying to logon using each user account it finds!?

I agree that the symptoms would match some kind of intrusion attack on the network?
0
 
LVL 9

Expert Comment

by:losip
ID: 34188109
The other time I saw this was in a large organisation with separate server/account admin team to the IT Security/audit team.  A rogue admin had changed part of the account policies which he wasn't authorised to do and created a script to fill up the Security log until it cycled round and overflowed and covered up the audit event of his mis-deed!  Fortunately, due to our account policies and use of Operations Manager, he was thwarted.
0
 
LVL 2

Author Comment

by:jonathonberg
ID: 34195463
I think the next thing I will be doing is inspecting the client very closely to check that it's AV etc is up to date and that there is nothing malicious installed/running.

Some reports show it may be DNS issue, but if it was I don't see why it would be picking up random AD users and referring to this single client.
0
 
LVL 7

Expert Comment

by:ieden
ID: 34337731
So how has it been going with this issue?
0
 
LVL 2

Accepted Solution

by:
jonathonberg earned 0 total points
ID: 34341446
Investigation eventually revealed it was the PGP edge protection client software throwing up a fault on a few workstations.  The workstations were attended to and the traffic ceased.  

Thanks to those who threw up suggestions.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 35225182
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question