Lot of audit failures in the Security logs

Seeing a lot of audit failures in the security logs. Are these anything to worry about? See to be generated by both machines and users. There are 3 DCs in the environment. 1 2008 R2 and 2x 2003. All machines fully patched. FSMO roles on the 2008 R2 machine.

A Kerberos service ticket was requested.

Account Information:
      Account Name:            SRV-HV02$@hq.domain.com
      Account Domain:            hq.domain.com
      Logon GUID:            {00000000-0000-0000-0000-000000000000}

Service Information:
      Service Name:            username
      Service ID:            NULL SID

Network Information:
      Client Address:            ::ffff:192.168.100.84
      Client Port:            58968

Additional Information:
      Ticket Options:            0x40810000
      Ticket Encryption Type:      0xffffffff
      Failure Code:            0x1b
      Transited Services:      -
--------------------------------------
A Kerberos service ticket was requested.

Account Information:
      Account Name:            WS0001$@domain.com
      Account Domain:            domain.com
      Logon GUID:            {00000000-0000-0000-0000-000000000000}

Service Information:
      Service Name:            krbtgt/domain.com
      Service ID:            NULL SID

Network Information:
      Client Address:            ::ffff:192.168.101.100
      Client Port:            51039

Additional Information:
      Ticket Options:            0x60810010
      Ticket Encryption Type:      0xffffffff
      Failure Code:            0xe
      Transited Services:      -
-------------------------
The computer attempted to validate the credentials for an account.

Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:      MWService
Source Workstation:      SRV-DC01
Error Code:      0xc0000064
LVL 2
mvalpredaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Henrik JohanssonSystems engineerCommented:
Kerberos Failure Code 0x1b = KDC_ERR_SVC_UNAVAILABLE
Where is it logged that KDC isn't unavailable?
One thing to check is that the computer logging this only uses internal DNS servers aware of AD DNS namespace. Never use external DNS servers on internal clients. A common mistake to try to get redundancy from external DNS server. Instead configure the internal DNS (on DC) to forward unresolvable DNS queries by using forwarders to ISP.

 0xc0000064 = NO_SUCH_USER

Logon Account:      MWService
Source Workstation:      SRV-DC01

SRC-DC01 sonds like a DC.
Does any service try to logon with .\MWService instead of domainname\MWservice? A DC doesn't have local users.
0
btanExec ConsultantCommented:
When a domain controller successfully authenticates a user via NTLM (instead of Kerberos), the DC logs "4776: The domain controller attempted to validate the credentials for an account" event. The error codes falls under this event id.

It simply means to specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.

But with the "username does not exist" error coming from machine "WS0001" and "SRV-HV02", likely there are some services or newly application installed or running trying to use "username" account to have login attempts to perform its task. The task may be attempt to change password as it is expired as configured etc...

 I suspect the context of this event is the accounts on the local computer.  Therefore there is no need for the domain - it is always the domain of the domain controller logging the event. Also Read Only domains can restrict certain users.
0
mvalpredaAuthor Commented:
Chances are there is nothing wrong? Any reason that these machines are using NTLM vs. Kerberos (or vice versa)?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

btanExec ConsultantCommented:
Should be a DC authenticating user via NTLM (instead of Kerberos), and you should be seeing before this something like 4776: The domain controller attempted to validate the credentials for an account. e.g.
The domain controller attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: administrator
Source Workstation: WIN-R9H529RIO4Y
Error Code: 0xc0000064
Also this event is also logged on member servers and workstations when someone attempts to logon with a local account. The corresponding events in Windows 2003 and before are 680 , 681  event id..

maybe events...
e.g. When a local user account is used to refresh the Task Scheduler history on the computer that joined the domain, Task Scheduler incorrectly tries to bind to a domain controller. http://support.microsoft.com/kb/2549079

e.g. Make sure the MWService account is added to the SBS group that is allowed access to the Internet. The LPI installation cannot do this. This is a default group created by the SBS default installation.
Verify that the logon credentials for the OMNetworkService  are the correct one.
If using ISA there are other considerations for some of the protocols.
The File and Print services on the SBS server must be enabled.
http://www.thetwonerds.com/2012/03/07/level-platforms-install-does-it-all-but-must-add-mwservice-to-admin-groups-5/
1
mvalpredaAuthor Commented:
Is this something to be worried about then?
0
btanExec ConsultantCommented:
not something severe as I seen with such audit unless you saw accompanying failures  as well with such error code (note ...64 is account does not exist). If this has never been the case of slew of event coming in, and it is just recent, and comes with other one of the below likely there is password or account changes or like which cause this  ...

0xC000006A An incorrect password was supplied.
0xC000006F      The account is not allowed to log on at this time.
0xC0000064      The account does not exist.
0xC0000070      The account is not allowed to log on from this computer.
0xC0000071      The password has expired.
0xC0000072      The account is disabled.

Else most of time is Windows operating system misconfiguration that is the main cause of Event Id 4776 Error Code 0xc0000064 error codes, see below

http://winwiki.org/event-id-4776-error-code-0xc0000064/

Most Event Id 4776 Error Code 0xc0000064 errors are due to damaged files in a Windows operating system. Windows system file entry corruption is a serious matter, as it often means a malfunction that may pose a major security risk. If left unchecked, it could result in total and permanent loss of all data and inoperability of the storage media and/or PC device.

Numerous events may trigger system file errors. Most common examples include:
 1) incomplete software installation;
 2) incomplete software uninstallation;
 3) improperly deleted hardware drivers, and
 4) improperly deleted software applications.

Also, Event Id 4776 Error Code 0xc0000064 errors are very common during PC restarts that immediately follow a previous improper shutdown and recent virus or malware infection recovery. Such incidents often result in the corruption or even total deletion of essential Windows system files. When system files are missing or corrupted, data that is essential to run software applications properly cannot be linked correctly.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.