Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Failure Audit 673 & 675

75 views
Skip to first unread message

Edward Jones (Eddie)

unread,
Jul 11, 2006, 4:05:02 PM7/11/06
to
Background: Network consists of an SBS Server 2003 Std., Windows 2003 Server
Std set up as a DC, and all client machines are XP SP2, all clients and
server are up to date with windows update.

I am recieving the following error every 10-15 minutes does anyone know the
cause? I have not found many postings on the issue and most state that it is
usually caused by a time difference but this has been checked and re-checked
and the times are synchronized between all clients.

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 7/11/2006
Time: 10:24:13 AM
User: NT AUTHORITY\SYSTEM
Computer: <<SBS_SERVER>>
Description:
Service Ticket Request:
User Name:
User Domain: <<DOMAIN>>.LOCAL
Service Name: host/<<SBS_SERVER>>.<<DOMAIN>>.local
Service ID: -
Ticket Options: 0x40830000
Ticket Encryption Type: -
Client Address: 127.0.0.1
Failure Code: 0xD
Logon GUID: -
Transited Services: -

I am also recieving the following:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 7/11/2006
Time: 11:39:46 AM
User: NT AUTHORITY\SYSTEM
Computer: <<SBS_SERVER>>
Description:
Pre-authentication failed:
User Name: <<USER>>
User ID: <<DOMAIN>>\<<USER>>
Service Name: krbtgt/<<DOMAIN>>
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: <<INTERNAL_IP_OF_CLIENT_COMP>>

The 675 error is not specific to one particular user and occurs speratically
through out the day 10 -15 times in a 24 hour period. Any suggestions would
be greatly appreciated.

Steven Zhu [MSFT]

unread,
Jul 11, 2006, 11:10:02 PM7/11/06
to
Hi Edward,

Thanks for posting here.

From your post, I understand that you receive failure audit 673 messages
and 675 messages. If I am off base, please feel free to let me know.

Based on my experience, these two events are very likely separate events
that are not related to each other.

Regarding the 673 event:
--------------------------------
This problem occurs because the Kerberos client on Windows 2000-based
computers and on Windows Server 2003-based computers examines the Key
Distribution Center (KDC) at set intervals to verify that the
Service-for-User (S4U) Kerberos extension is supported. By default, the
Kerberos client examines the KDC every 15 minutes. Because Windows 2000
does not support the S4U Kerberos extension, event ID 677 messages are
logged to the security event log of a Windows 2000 domain controller. In
Windows Server 2003, event ID 673 messages are logged to the security event
log if the S4U Kerberos extension is not configured. To use the S4U
Kerberos extension, you must have a Windows Server 2003 native domain, and
you must configure the appropriate computer accounts for constrained
delegation.

For more info, please refer to:
824905 Event ID 677 and event ID 673 audit failure messages are repeatedly
http://support.microsoft.com/?id=824905

There is a hotfix in the article. I wanted to let you know that hotfixes
are generally available for specific issues in the Product. Please keep in
mind that they are not fully regression tested and should be applied only
to systems experiencing the specific problem. For this reason, the first
step would be to verify if you are indeed running into the problem
addressed in a specific hotfix. The individual sending of hotfixes must be
tracked by Microsoft for reasons such as: you may run into problems after
installing the fix, when future updates to the hotfix occur we want to be
able to notify you. For these reasons and others, many hotfixes are only
available to customers if they call into the appropriate Microsoft Support
phone line, and receive direct help and advice from a Microsoft support
professional. We are not equipped to send out and track hotfixes here in
the Newsgroups forum.

If you prefer, you could contact Microsoft Product Customer Services
directly to obtain the fix. For a complete list of Microsoft Product
Customer Services phone numbers and information about support costs, visit
the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support
calls may be canceled if a Microsoft Support Professional determines that a
specific update will resolve your problem. The typical support costs will
apply to additional support questions and issues that do not qualify for
the specific update in question.

Regarding the 675 event:
----------------------------

Generally speaking event 675 with Failure Code 0x18 indicates that a user
logon the domain with an incorrect credential.

If the event only appears once or several times, it is very likely that the
user Sabrinac typed his password by mistake and therefore cause this event
be logged.

However, if there multiple similar records in the event and the Sabrinac
account keeps being locked out, we need to check the client to perform
further analysis. Based on my experience on troubleshooting this kind of
issue, the problem could be related to the several factors:

- Cached Credentials: Many applications will cache credentials and keep
active threads in use, not updating credentials after a change in password.

- Saved User Names and Password: Windows XP/Windows Server 2003 can store
user names and passwords, and generally the saved credentials could cause
this kind of problem.

- Service Accounts: If a service logon account is manually configured to
logon using the user account/password, the problem could occur. (From your
post, I learned that you have checked this already.)

- Active Directory Replication: User properties need to replicate between
domain controllers.

We can check if the above possible causes to troubleshoot this problem.

I hope the above information helps.

Have a nice day.

Best Regards,

Steven Zhu
MCSE
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006.? Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================



Edward Jones (Eddie)

unread,
Jul 13, 2006, 9:50:01 AM7/13/06
to
Regarding the 673 event we have a Windows 2003 native domain and no clients
are running windows 2000 only XP SP2. The error is listed on the SBS server
only from IP address 127.0.0.1 and the service is host.computername.domain.
Could there be another cause?

Regarding 675 the error only occurs once for a specific account but occurs
for multiple users on different machines. Most if not all users report that
they have not changed their password recently. The only other suggestion to
test would be AD replication however i am not sure how best to test this
could you please give some direction.

Thank you for your post and any additional information you can provide.
Thank you.

Steven Zhu [MSFT]

unread,
Jul 17, 2006, 3:39:10 AM7/17/06
to
Hi Edward,

Thanks for taking time to respond.

This is the most issue that will generate failure audit 673. So I suggest
you apply the hotfix in the following article:

824905 Event ID 677 and event ID 673 audit failure messages are repeatedly
http://support.microsoft.com/?id=824905

For Event ID 675, some attributes indicates that it is a bad password:

0x18 (KDC_ERR_PREAUTH_FAILED) = "Pre-authentication information was
invalid". This indicates failure to obtain ticket, possibly due to the
client providing the wrong password.

Pre-Authentication Type: 0x2 = encoded timestamp

The failure might be due to time skew > 5 minutes. So I suggest that we
check the System Time on the affected client computer and the server.

I suggest that you logon to the client computer and type the following
command in command prompt:

net stop w32time
net start w32time
w32tm /resync /rediscover

If the issues till exists, I suggest that you refer to following article to
make sure that Windows Time Service is configured correctly on both SBS
Server 2003 and client computer:

216734 How to Configure an Authoritative Time Server in Windows 2000
http://support.microsoft.com/?id=216734
314054 How to Configure an Authoritative Time Server in Windows XP
http://support.microsoft.com/?id=314054
816042 How to configure the Windows Time service on a Windows Server
2003-based
http://support.microsoft.com/?id=816042

I hope the above information helps.

Have a good day.

0 new messages