Solved

Intermittent authentication issues on domain

Posted on 2014-10-22
6
466 Views
Last Modified: 2015-01-15
I have an issue that is affecting my windows 7 clients on multiple sites.
I have a 2003 domain which im currently in the process of upgrading to 2012 (7 of 10 DC's now on 2012)
The issue I have is when a computer screen locks the user cannot unlock with there current password. I have to reboot the machine in order for it to work. It seems very random and doesn't happen that often.
Users have the following error on the client after this has happened:
Event ID 4771
Kerberos pre-authentication failed.

Account Information:
      Security ID:            domain\CBryant
      Account Name:            CBryant

Service Information:
      Service Name:            krbtgt/domain

Network Information:
      Client Address:            ::ffff:x.x.0.42
      Client Port:            2300

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:      
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Also have the issue when user cannot logon after locking machine: events created or linked with problem:

Had another machine.
2 events that i found...
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.


This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the
0
Comment
Question by:Matt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 40398573
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40399565
Are your fsmo roles on a 2012 host? Does sites and services have all you subnets and sites and servers properly added and replicating?
0
 

Author Comment

by:Matt
ID: 40399574
Yes the FSMO roles are running on a 2012 server. All replication working fine.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40399739
IF the hot fix doesn't fix this: we have to dive further into sites and services, the adrepstatus tool, DNS, etc... So try that first.
0
 

Author Comment

by:Matt
ID: 40446915
The hot fix doesn't seem to have worked. I will be raising the domain functional level hopefully today. This may improve things.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40552220
The hot fix doesn't seem to have worked
then why did you accept that as the answer?
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question