IT20701
asked on
Event ID 680 not logging
We put a 2008 member server online in a w2k3 domain. We are getting a huge amount of 675 errors which we suppresed by adding the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Co ntrol\Lsa\ Kerberos\P arameters
Name: DefaultEncryptionType
Type: REG_DWORD
Value: 23 (dec) or 0x17 (hex)
Ever since we put this 2008 member server on line we are no longer logging event 680 which we need to review for security reasons. Can you assist?
thanks,
HKEY_LOCAL_MACHINE\SYSTEM\
Name: DefaultEncryptionType
Type: REG_DWORD
Value: 23 (dec) or 0x17 (hex)
Ever since we put this 2008 member server on line we are no longer logging event 680 which we need to review for security reasons. Can you assist?
thanks,
ASKER
I did apply the fix to the 08 servers only not the 03 server. I applied the fix today 3/28. Logon events stopped logging on the 03 DC as of 3/21.
thanks,
thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
my installation of a 3rd party program was the culprit
When DC successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.
This event is only logged on member servers and workstations for logon attempts with local SAM accounts.
Account Used for Logon By identifies the authentication package that processed the authentication request.
In Windows Server 2003 Microsoft eliminated event ID 681 and instead uses event ID 680 for both successful and failed NTLM authentication attempts. So on Windows Server 2003 don't look for event ID 681 and be sure to take into account the success/failure status of occurrences of event ID 680.
In other words, if you're forcing NTLM, you won't log a 680 because it's Kerberos-specific. You'll probably have to undo your previous workaround and find an alternate fix, or apply the fix to the 2008 server instead of the 2003 DC, this way it'll be the only one affected by the change and the remaining systems will still og the events you want to see.