Event ID 680 not logging

We put a 2008 member server online in a w2k3 domain.  We are getting a huge amount of 675 errors which we suppresed by adding the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Name: DefaultEncryptionType
Type: REG_DWORD
Value: 23 (dec) or 0x17 (hex)

Ever since we put this 2008 member server on line we are no longer logging event 680 which we need to review for security reasons.  Can you assist?
thanks,
LVL 2
IT20701Asked:
Who is Participating?
 
IT20701Author Commented:
discovered that the password reset program we installed changed out default domain policy.  Changed policy back to audit account logon failures and success and the problem was resolved.  Answered my own question.
0
 
TheTechManCommented:
From http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=680

When DC successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.

This event is only logged on member servers and workstations for logon attempts with local SAM accounts.
Account Used for Logon By identifies the authentication package that processed the authentication request.

In Windows Server 2003 Microsoft eliminated event ID 681 and instead uses event ID 680 for both successful and failed NTLM authentication attempts. So on Windows Server 2003 don't look for event ID 681 and be sure to take into account the success/failure status of occurrences of event ID 680.

In other words, if you're forcing NTLM, you won't log a 680 because it's Kerberos-specific.  You'll probably have to undo your previous workaround and find an alternate fix, or apply the fix to the 2008 server instead of the 2003 DC, this way it'll be the only one affected by the change and the remaining systems will still og the events you want to see.
0
 
IT20701Author Commented:
I did apply the fix to the 08 servers only not the 03 server.  I applied the fix today 3/28.  Logon events stopped logging on the 03 DC as of 3/21.

thanks,
0
 
IT20701Author Commented:
my installation of a 3rd party program was the culprit
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.