Intermittent authentication issues on domain

Posted on 2014-10-22
Medium Priority
Last Modified: 2015-01-15
I have an issue that is affecting my windows 7 clients on multiple sites.
I have a 2003 domain which im currently in the process of upgrading to 2012 (7 of 10 DC's now on 2012)
The issue I have is when a computer screen locks the user cannot unlock with there current password. I have to reboot the machine in order for it to work. It seems very random and doesn't happen that often.
Users have the following error on the client after this has happened:
Event ID 4771
Kerberos pre-authentication failed.

Account Information:
      Security ID:            domain\CBryant
      Account Name:            CBryant

Service Information:
      Service Name:            krbtgt/domain

Network Information:
      Client Address:            ::ffff:x.x.0.42
      Client Port:            2300

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:      
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Also have the issue when user cannot logon after locking machine: events created or linked with problem:

Had another machine.
2 events that i found...
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the
Question by:Matt
  • 3
  • 2
LVL 43

Accepted Solution

kevinhsieh earned 2000 total points
ID: 40398573
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40399565
Are your fsmo roles on a 2012 host? Does sites and services have all you subnets and sites and servers properly added and replicating?

Author Comment

ID: 40399574
Yes the FSMO roles are running on a 2012 server. All replication working fine.
7 new features that'll make your work life better

It’s our mission to create a product that solves the huge challenges you face at work every day. In case you missed it, here are 7 delightful things we've added recently to monday to make it even more awesome.

LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40399739
IF the hot fix doesn't fix this: we have to dive further into sites and services, the adrepstatus tool, DNS, etc... So try that first.

Author Comment

ID: 40446915
The hot fix doesn't seem to have worked. I will be raising the domain functional level hopefully today. This may improve things.
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40552220
The hot fix doesn't seem to have worked
then why did you accept that as the answer?

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
In this article, we will discuss how you can secure Active Directory using free tools, and how you can choose a safe and secure Active Directory security auditing tool.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question