Event ID 680 not logging

We put a 2008 member server online in a w2k3 domain.  We are getting a huge amount of 675 errors which we suppresed by adding the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Name: DefaultEncryptionType
Type: REG_DWORD
Value: 23 (dec) or 0x17 (hex)

Ever since we put this 2008 member server on line we are no longer logging event 680 which we need to review for security reasons.  Can you assist?
thanks,
LVL 2
IT20701Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TheTechManCommented:
From http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=680

When DC successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.

This event is only logged on member servers and workstations for logon attempts with local SAM accounts.
Account Used for Logon By identifies the authentication package that processed the authentication request.

In Windows Server 2003 Microsoft eliminated event ID 681 and instead uses event ID 680 for both successful and failed NTLM authentication attempts. So on Windows Server 2003 don't look for event ID 681 and be sure to take into account the success/failure status of occurrences of event ID 680.

In other words, if you're forcing NTLM, you won't log a 680 because it's Kerberos-specific.  You'll probably have to undo your previous workaround and find an alternate fix, or apply the fix to the 2008 server instead of the 2003 DC, this way it'll be the only one affected by the change and the remaining systems will still og the events you want to see.
0
IT20701Author Commented:
I did apply the fix to the 08 servers only not the 03 server.  I applied the fix today 3/28.  Logon events stopped logging on the 03 DC as of 3/21.

thanks,
0
IT20701Author Commented:
discovered that the password reset program we installed changed out default domain policy.  Changed policy back to audit account logon failures and success and the problem was resolved.  Answered my own question.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT20701Author Commented:
my installation of a 3rd party program was the culprit
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.