Solved

My Sharepoint server keeps generating a Kerberos pre-authentication failed.

Posted on 2016-07-27
17
39 Views
Last Modified: 2016-09-11
I am seeing from multiple servers that the administrator account is generating Kerberos pre-authentication failed.
Event id 4771
Failure Code 0x18
Service Name krbtgt/<domainname>

It does this from our SharePoint server that host the Intranet page, my Symantec End Point Server and my Citrix XenApp Server indicated in the Event Log > Security

This transaction does occasionally lock the Administrator account out.

Any ideas?
0
Comment
Question by:yo_bee
  • 9
  • 8
17 Comments
 
LVL 61

Expert Comment

by:btan
ID: 41731123
There may be some service running in the Symantec or Citrix  system using some fixed account and attempting to access SharePoint for some reason or scheduled basis request like back up etc. The Kerberos pre-authentication failure means that the user's password supplied does not match what is stored in database.
for example we had an application that was running reports under stored user credentials, once you've logged on it was using your credentials to run some sort of reports on your behalf with the same credentials forever

So probably the best way to go is to reveal the real client IP as described above and examine that machine what is running on it
there is one instance for Symantec for this error is when password is changed after some re-imaging of the system - see
Situation - When deploying a syspreped image the Altiris account gets locked after the image has been deployed

Cause - If the Altiris password has been changed after the sysprep image is created the original password is retained in the image sysprep.inf file.
https://support.symantec.com/en_US/article.tech170101.html
0
 
LVL 21

Author Comment

by:yo_bee
ID: 41731223
The SharePoint events are triggered when a user open the Intranet page, so I think all these are independent from one another.  

The question is how can I pin-point what process it trying to authenticate?
0
 
LVL 61

Expert Comment

by:btan
ID: 41731474
The event log states a Process Information section which records both the executable path and process ID. Example:
Process Information:
    Process ID:         0x2a4
    Process Name:       C:\Windows\System32\services.exe
A pre-authentication is just the process used to verify credentials prior to returning a token. There should still be a failure audit on the server attempting authentication which includes the process id. Not straightforward even though you see the id and try to run netstat or task mgr in the system as the id changes...we need to pinpoint if the system is the same one and may be will confirm via the account being lockout using Microsoft’s own LockoutStatus.exe.
https://blog.varonis.com/secrets-active-directory-lockouts-find-apps-stale-credentials/
However, as mentioned, it is not easy to drill to that process automatically, you need to check the batch job and any changes so far in the system and if it occurred during certain hours etc..
0
 
LVL 21

Author Comment

by:yo_bee
ID: 41737668
I am not able to pinpoint why the Service Name krbtgt/<domainname> it being used with my Administrator account from my SharePoint Server

I am not a sharepoint guru so I am not sure where to look for anything that is using  AD.

When I open the page is using my credentials to authenticate to the site.  When this happens I notice that the Administrator account generates the event id 4771 with a bad password 0x18

Hope this sheds some light on my questions.
0
 
LVL 61

Expert Comment

by:btan
ID: 41738288
I am wondering if your sharepoint is also your primary DC. Will be tough to validate and probably need to trace back event log to see such error occurence prior and after the roll up patch period. If you see your log with Client address having ::1, it is indicative of local machine and it means its service has problem login into the domain or to the PDC.

Note that this error is logged on domain controllers only and only failure instances of this event are logged. The error codes means usually a bad password. There is likely this account of the user that is wrongly set or even may mean your current login account may be doing the login to sharepoint that is not having valid password. You need your sharepoint support to advice you.

May want to see if there are prior event such as below on who has last login and probably that can give some hints or leads for more questioning.

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768
0
 
LVL 21

Author Comment

by:yo_bee
ID: 41738384
This is not a DC.
The event log on the DC's points to the SharePoint server.

Kerberos pre-authentication failed.

Account Information:
      Security ID:            XXXXXX\Administrator
      Account Name:            Administrator

Service Information:
      Service Name:            krbtgt/XXXXXX

Network Information:
      Client Address:            ::ffff:192.168.0.55
      Client Port:            3546

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.


This is the event the is generated when a user connects to Intranet Page hosted by SharePoint ,

I am also seeing this error in the system log on DC's.  On the PDC I see the Security Log event for the  Event ID 4771 pointing to the one of the other DC's (round-robin) and I will see the same time stamp for the Event ID 4771 pointing to the SharePoint server.  
Sometimes there are no other DC's involve accept the PDC.
Whatever DC that the SharePoint looks up some credentials of a user I will see the System error  Event ID:      12294 ten minutes earlier.  They are not at the same time, but they do happen frequently.

Log Name:      System
Source:        Microsoft-Windows-Directory-Services-SAM
Date:          8/1/2016 9:51:11 PM
Event ID:      12294
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      XXXDC02.XXXXXX.local
Description:
The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

0
 
LVL 61

Expert Comment

by:btan
ID: 41738489
I am thinking how we can drill to process info in sharepoint pls see

Logon events record the process attempting logon. Enable failed logon auditing (Security Settings > Local Policies > Audit Policy > Audit Logon Events) in the Local Security Policy (secpol.msc) then look in the security event log for an event. You can also enable it via Group Policy, if that would be preferable.

There will be a Process Information section which records both the executable path and process ID.
see if we have more info in sharepoint events for security error. Have the account for admin been reset before or expired or recently changed...
0
 
LVL 21

Author Comment

by:yo_bee
ID: 41749560
I have enabled kerbos logging on the server causing the errors and I am getting closer i think
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 61

Expert Comment

by:btan
ID: 41749721
May want to check any account lockout event as well. For e.g. check for event ID: 4625 "An account failed to logon" that is the one that increments the lockout counter. If that category is actually being logged and you don't see the events, it means that the pre-authentication is failing for some other reason.
0
 
LVL 21

Author Comment

by:yo_bee
ID: 41749728
this is a Windows 2003 Server that is trying to authenticate.
It is running WSS 3.0.
I thought it might have been the App in the AppPool, but that is not the case that I can see.

I see SYSTEM account generating Security Logon/logoff Audit log at the same time I see the System event log log Kerbos error 3.

Could it be the SPN for this machine?
0
 
LVL 61

Expert Comment

by:btan
ID: 41749833
Error 3 is network logon. I believe it is the SPN but it should be typically for web apps in the form of "HTTP/webapp.fabrikam.com" as shared in the below article.
https://blogs.technet.microsoft.com/askds/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-2/
It actually stated in Part 1 a step through in Kerberos error troubleshooting which they are facing due to  duplicate Service Principal Name issues. This may be something you may consider to check further with your support team.
Usually this is when the Administrator has used the SetSPN on different accounts in an effort to get Kerberos Authentication to work. One great example of this is MS SQL. If you install MS SQL as an Administrator of the domain, it will add the MSSQLSVC SPN to the SQL Server’s computer account; later an Administrator changes the SQL Service startup account from Local System to a domain account and Kerberos Authentication starts to fail. Usually we will find that the MSSQLSVC SPN is configured on both the computer account as well as the domain user account that is used to run the service.
It has a follow up in Part 3 on proper Kerberos SPN configuration. It uses a QuerySPN.vbs script to find out what account(s) have the "http/webapp" or "http/webapp.fabrikam.com" SPN defined and is wrongly configured too
So we will use the QuerySPN.vbs script again to find out what account(s) have the http/webapp or http/webapp.fabrikam.com SPN defined. Review KB321044 if these tools are new to you.

As you can see the SPN is on the Web Server computer account. Well, this will just not work; we will need to take it off of this account and add it to the FABRIKAM\KerbSvc account using SetSPN.

NOTE: If we would have found that there were no duplicate SPN’s and that the only SPN registered in the Active Directory forest was correct we would have looked into a possible Active Directory Replication problem that might be causing the issue. You might be asking how could AD replication be causing the issue?
https://blogs.technet.microsoft.com/askds/2008/06/11/kerberos-authentication-problems-service-principal-name-spn-issues-part-3/
0
 
LVL 21

Author Comment

by:yo_bee
ID: 41750233
I have a DNS entry A RECORD that is inside.domain.com where the server internal entry in the FQDN server01.domian.local

When I run the querySPN.vbs

Class: Computer
CN=XXXXXXWEB02,OU=WU 3:00 Restart,OU=Servers,OU=All computers,DC=XXXXXX,DC=local
User Name: XXXXXXWEB02$
        WSMAN/XXXXXXweb02
        WSMAN/XXXXXXweb02.XXXXXX.local
        HOST/XXXXXXWEB02
        HOST/XXXXXXweb02.XXXXXX.local


Found 1 account

Since inside.xxxxxx.com is the address everyone is hitting when they open IE could it be  that there is no HTTP SPN value for this
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points (awarded by participants)
ID: 41750543
Looks like there is no SPN for inside.xxxxxx.com as shared and likely there is minimally a need for HTTP/inside.xxxxxx.com if there is need to access  http://inside.xxxxxx.com/<webapp>. maybe good to sniff some packet to diagnose as step through in my previous post on the article Part 3
So now let’s look at the network trace of this attempt.

1. We see proper name resolution, for webapp.fabrikam.com and the DNS server response back with the IP Address of 10.10.200.105 (frames 3 & 4)
2. The machine then makes an http connection to the web server, and gets “401 Unauthorized” (frames 7 -14).
3. The machine then gets a TGT from the domain controller (see the AS-REQ and AS-REP) (frames 15 & 16)
4. The machine then requests and gets a Service Ticket for http/webapp.fabrikam.com (frames 17 & 18). As you can see below, the machine was asking for a Kerberos ticket of HTTP/webapp.fabrikam.com.
0
 
LVL 21

Author Comment

by:yo_bee
ID: 41762789
How would I leverage Wireshark to assess this.
I all looks like a bunch of mumdo-jumbo to me.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points (awarded by participants)
ID: 41763291
Pls reference my last post which they run steps looking out for 401 error

6. The machine then attempts to get a service ticket (TGS-REQ / TGS_REP) from the domain controller two more times in the trace, but each time the web server reports the same error of KRB5KRB_AP_ERR_MODIFIED (frames 15-18, 25-26, 34-37). The reason why you are seeing three different TGS-REQ / TGS_REP) requests to the domain controller is because you were prompted three times for user name and password when attempting to access the site before you got the 401.1 unauthorized error from the web server.

We need to do more investigation when you get the KRB5KRB_AP_ERR_MODIFIED. Keep in mind that this error really just means that the Service you are attempting to connect to could not decrypt the Kerberos ticket using its password Hash.

The first thing that we will test is to see if the Service Principal Name is registered to the correct account. If you remember from the previous blog the Web Application pool account that is running the website is Fabrikam\KerbSvc
0
 
LVL 21

Author Comment

by:yo_bee
ID: 41767505
I am sorry, but I am really confused with this.
Let me look at this some more.
0
 
LVL 61

Expert Comment

by:btan
ID: 41793197
As explained on likely issues and advice given for follow up
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now