Solved

Thousands of 675 errors in DC event log

Posted on 2010-11-22
13
577 Views
Last Modified: 2013-11-05
I am stumped on this one. We are getting thousands (>90,000) of 675 entries in the DC security event log constantly!

Symptoms:
There are 6-10 entries per second
There are around 100 entries per user in a row, then it seems to move onto the next user
There appears to be no pattern of which user it picks next - they are not in the same site OU, it's not in alphabetical order
All of the entries appear to be coming from a single client IP. Firstly we remove the original client from the network, but now it appears to have moved onto another client
There entries are only occuring on one site server, The other site servers on the same domain are not showing any similar messages
I've had a look at the logs on the client machine and they don't appear to be showing anything that would cause/instigate this many failed authentication attempts
I've checked all the accounts in AD and they are active and not expired
I've sync'd the time on the DC and the client


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            22/11/2010
Time:            04:33:08
User:            NT AUTHORITY\SYSTEM
Computer:      [siteDC]
Description:
Pre-authentication failed:
       User Name:      [username]
       User ID:            PIC\[username]
       Service Name:      krbtgt/[domain]
       Pre-Authentication Type:      0x2
       Failure Code:      0x18
       Client Address:      10.x.x.4


Any ideas/suggestions!?

All other research and possible resolutions have failed so far.
0
Comment
Question by:jonathonberg
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 7

Expert Comment

by:ieden
ID: 34187581
Sounds like someone is trying to gain access by guessing passwords...
0
 
LVL 9

Expert Comment

by:losip
ID: 34187690
Have you changed password complexity rules lately?
0
 
LVL 7

Expert Comment

by:ieden
ID: 34187733
This behavior can occur if a user has a manually mapped and saved connection after a password change. Go to the affected users desktop and disconnect all drives. perhaps add the drive in question to the login script.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 9

Expert Comment

by:losip
ID: 34187756
@ieden, that was my first thought but the OP is getting this on many different users and it's comparatively unlikely that they've all suddenly changed their passwords.
0
 
LVL 7

Expert Comment

by:ieden
ID: 34187797
@losip, when you asked about password policy being changed, the thought then came that perhaps they did all change their password.
0
 
LVL 9

Expert Comment

by:losip
ID: 34187838
Only if they went through and pre-expired all passwords forcing a change at next logon.  In my experience, the effect you mention only occurs when drives are mapped using explicit credentials - perhaps from machines that are not part of the domain.  Normal drive mappings with domain accounts don't usually do this on password chaneg unless the user changes his password from a machine other than the one with the mappings.  We had this with some Unix machines mapping SMB drives but not on the scale reported.
0
 
LVL 2

Author Comment

by:jonathonberg
ID: 34188060
The drive mapping idea did come to mind but it doesn't explain why it's cycling through different users, but reporting from the same client.

The strange things is that the users being reported have nothing to do with this client - they are not on the same site or in the same OU. It's almost as if something on the PC is cycling through LDAP and trying to logon using each user account it finds!?

I agree that the symptoms would match some kind of intrusion attack on the network?
0
 
LVL 9

Expert Comment

by:losip
ID: 34188109
The other time I saw this was in a large organisation with separate server/account admin team to the IT Security/audit team.  A rogue admin had changed part of the account policies which he wasn't authorised to do and created a script to fill up the Security log until it cycled round and overflowed and covered up the audit event of his mis-deed!  Fortunately, due to our account policies and use of Operations Manager, he was thwarted.
0
 
LVL 2

Author Comment

by:jonathonberg
ID: 34195463
I think the next thing I will be doing is inspecting the client very closely to check that it's AV etc is up to date and that there is nothing malicious installed/running.

Some reports show it may be DNS issue, but if it was I don't see why it would be picking up random AD users and referring to this single client.
0
 
LVL 7

Expert Comment

by:ieden
ID: 34337731
So how has it been going with this issue?
0
 
LVL 2

Accepted Solution

by:
jonathonberg earned 0 total points
ID: 34341446
Investigation eventually revealed it was the PGP edge protection client software throwing up a fault on a few workstations.  The workstations were attended to and the traffic ceased.  

Thanks to those who threw up suggestions.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 35225182
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question