Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Event ID: 676 (I have thousands of these in EventViewer...)

Status
Not open for further replies.

GVN

MIS
Dec 2, 2005
238
US
I have thousands of these in EventViewer... Can anyone tell me why???

####################################################

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 676
Date: 2/2/2006
Time: 2:42:18 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER2
Description:
Authentication Ticket Request Failed:
User Name: jdoe
Supplied Realm Name: MYDOMAIN.COM
Service Name: krbtgt/MYDOMAIN.COM
Ticket Options: 0x40810010
Failure Code: 0x12
Client Address: 10.0.0.116

 
this is waht people are saying out there:

Erik Swenson (Last update 4/13/2004):
Sometimes a logon fails not because of a bad password but because the user mistyped the username or tried to guess someone else's username.
If a logon fails because of an invalid username, Windows 2000 logs event ID 676 (authentication ticket request failed) with Failure Code 6. This event is another important logon auditing advance because in NT you can't distinguish logons that failed because of a bad password from logons that failed because of a bad username. Windows 2000 uses event ID 676 with other failure codes to identify several other types of failed-logon situations.

Failure Code 12 indicates the logon failed because of time-of-day or workstation restrictions. Failure Code 18 signifies that the account was locked out because of failed logons, disabled by the administrator, or expired.
Failure Code 23 means the user's password had expired.
Failure Code 37 occurs when a workstation's clock was too far out of synchronization with the DC's clock.

See Audit Account Logon Events for more details.

Anonymous (Last update 11/24/2006):
A user on my company's Win 2K domain received this event along with events 675 and 681 from the same source in the DC event logs. They were logged on to two PCs with the same account, had changed their expired password on one of the PCs and not logged off the other to synchronise the profiles.

Peter Hayden (Last update 11/3/2005):
In one case, with Failure Code 6 on Windows 2000, this was due to a mistyped username.

In another case, with Failure Code 6 on Windows 2000, the password for the IWAM_MachineName account was mismatched between the Windows Active Directory and the IIS metabase.

See "EventID 101 from source IISADMIN" for more information.

Matt Ostiguy (Last update 8/31/2004):
See the link to "Troubleshooting Kerberos Errors" for information about Kerberos errors.

Ionut Marin (Last update 12/9/2003):
See M824209 on how to use the EventCombMT utility to search the event logs of multiple computers for account lockouts.

- Failure Code: 6 - See M326985.

M. Meenan (Last update 5/5/2003):
We had this issue on a Win2K domain. Changing the Domain Sec. Policy settting for Min. Password Age to "0" solved the issue. See M273004 for more info.

Anonymous
Failure Code 18 signifies that the account was locked out because of failed logons, disabled by the administrator, or expired.

Dennis Lundtoft Thomsen
Failure Codes:
6 Client not found in the Kerberos database.
7 Server not found in the Kerberos database. This generally indicates a service principal name (SPN) has not been registered for the service.
23 Password has expired.
32 Ticket has expired.
33 Ticket not yet valid.
34 Request is a replay. Someone is trying to play back a Kerberos client''s response; you are possibly being attacked.
37 Clock skew too great. Kerberos is time-critical; make sure all clocks are synchronized

_________________________________
MCP, (Cientist, partime, and ops Mad-man...)
 
They couldn't be manually typed in, as many of them are within seconds of each other... So, are you saying that someone's trying to hack the accounts? If so, how, as we have a firewall in place between the LAN and the internet?

GVN
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top