Solved

Intermittent authentication issues on domain

Posted on 2014-10-22
6
375 Views
Last Modified: 2015-01-15
I have an issue that is affecting my windows 7 clients on multiple sites.
I have a 2003 domain which im currently in the process of upgrading to 2012 (7 of 10 DC's now on 2012)
The issue I have is when a computer screen locks the user cannot unlock with there current password. I have to reboot the machine in order for it to work. It seems very random and doesn't happen that often.
Users have the following error on the client after this has happened:
Event ID 4771
Kerberos pre-authentication failed.

Account Information:
      Security ID:            domain\CBryant
      Account Name:            CBryant

Service Information:
      Service Name:            krbtgt/domain

Network Information:
      Client Address:            ::ffff:x.x.0.42
      Client Port:            2300

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:      
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Also have the issue when user cannot logon after locking machine: events created or linked with problem:

Had another machine.
2 events that i found...
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.


This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the
0
Comment
Question by:Matt
  • 3
  • 2
6 Comments
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 40398573
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40399565
Are your fsmo roles on a 2012 host? Does sites and services have all you subnets and sites and servers properly added and replicating?
0
 

Author Comment

by:Matt
ID: 40399574
Yes the FSMO roles are running on a 2012 server. All replication working fine.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40399739
IF the hot fix doesn't fix this: we have to dive further into sites and services, the adrepstatus tool, DNS, etc... So try that first.
0
 

Author Comment

by:Matt
ID: 40446915
The hot fix doesn't seem to have worked. I will be raising the domain functional level hopefully today. This may improve things.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40552220
The hot fix doesn't seem to have worked
then why did you accept that as the answer?
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now