Solved

Intermittent authentication issues on domain

Posted on 2014-10-22
6
440 Views
Last Modified: 2015-01-15
I have an issue that is affecting my windows 7 clients on multiple sites.
I have a 2003 domain which im currently in the process of upgrading to 2012 (7 of 10 DC's now on 2012)
The issue I have is when a computer screen locks the user cannot unlock with there current password. I have to reboot the machine in order for it to work. It seems very random and doesn't happen that often.
Users have the following error on the client after this has happened:
Event ID 4771
Kerberos pre-authentication failed.

Account Information:
      Security ID:            domain\CBryant
      Account Name:            CBryant

Service Information:
      Service Name:            krbtgt/domain

Network Information:
      Client Address:            ::ffff:x.x.0.42
      Client Port:            2300

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:      
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Also have the issue when user cannot logon after locking machine: events created or linked with problem:

Had another machine.
2 events that i found...
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.


This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the
0
Comment
Question by:Matt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 40398573
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40399565
Are your fsmo roles on a 2012 host? Does sites and services have all you subnets and sites and servers properly added and replicating?
0
 

Author Comment

by:Matt
ID: 40399574
Yes the FSMO roles are running on a 2012 server. All replication working fine.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40399739
IF the hot fix doesn't fix this: we have to dive further into sites and services, the adrepstatus tool, DNS, etc... So try that first.
0
 

Author Comment

by:Matt
ID: 40446915
The hot fix doesn't seem to have worked. I will be raising the domain functional level hopefully today. This may improve things.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40552220
The hot fix doesn't seem to have worked
then why did you accept that as the answer?
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
NTP Servers 4 48
Exchange Server Send connector and DNS Round Robin ? 6 48
Set Static IP of machine without console access 1 53
ADFS MSIS7065 error 8 15
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question