Intermittent authentication issues on domain
Posted on 2014-10-22
I have an issue that is affecting my windows 7 clients on multiple sites.
I have a 2003 domain which im currently in the process of upgrading to 2012 (7 of 10 DC's now on 2012)
The issue I have is when a computer screen locks the user cannot unlock with there current password. I have to reboot the machine in order for it to work. It seems very random and doesn't happen that often.
Users have the following error on the client after this has happened:
Event ID 4771
Kerberos pre-authentication failed.
Security ID: domain\CBryant
Account Name: CBryant
Service Name: krbtgt/domain
Client Address: ::ffff:x.x.0.42
Client Port: 2300
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Issuer Name:
Certificate Serial Number:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Also have the issue when user cannot logon after locking machine: events created or linked with problem:
Had another machine.
2 events that i found...
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the