Pre-authentication failed & Authentication Ticket Request

[KRPGroup]

My security event logs are full of these to Events

675 Pre-authentication failed
672 Authentication Ticket Request
673 Service Ticket Request

I have been monitoring staff trying to see what could be causing these. There are 2 staff that their accounts are getting locked out serveral times throughout the day.

I have followed the tips in a few other threads regarding mapped drives, TS disconnect, MS passport nothing is standing out. I have monitored a user while the were working via VNC and eventcombMT.exe, LockoutStatus.exe. I changed one of the users computer to see if it was tied to the workstation but problems continue.

eventcombMT.exe Export
675 AUDIT FAILURE Security Mon Mar 19 11:06:10 2007 NT AUTHORITY\SYSTEM Pre-authentication failed: User Name: UserName User ID: %{S-1-5-21-...FullUserID} Service Name: krbtgt/DOMAIN Pre-Authentication Type: 0x2 Failure Code: 0x12 Client Address: DcIpAddrss

644 AUDIT SUCCESS Security Mon Mar 19 11:06:10 2007 NT AUTHORITY\SYSTEM User Account Locked Out: Target Account Name: UserName Target Account ID: %{S-1-5-21-...FullUserID} Caller Machine Name: EDM-120 Caller User Name: FSEXCH$ Caller Domain: DOMAIN Caller Logon ID: (0x0

675 AUDIT FAILURE Security Mon Mar 19 11:06:10 2007 NT AUTHORITY\SYSTEM Pre-authentication failed: User Name: UserName User ID: %{S-1-5-21-...FullUserID} Service Name: krbtgt/DOMAIN Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: DcIpAddrss

675 AUDIT FAILURE Security Mon Mar 19 11:06:10 2007 NT AUTHORITY\SYSTEM Pre-authentication failed: User Name: UserName User ID: %{S-1-5-21-...FullUserID} Service Name: krbtgt/DOMAIN Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: DcIpAddrss

675 AUDIT FAILURE Security Mon Mar 19 11:06:10 2007 NT AUTHORITY\SYSTEM Pre-authentication failed: User Name: UserName User ID: %{S-1-5-21-...FullUserID} Service Name: krbtgt/DOMAIN Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: DcIpAddrss

675 AUDIT FAILURE Security Mon Mar 19 11:06:10 2007 NT AUTHORITY\SYSTEM Pre-authentication failed: User Name: UserName User ID: %{S-1-5-21-...FullUserID} Service Name: krbtgt/DOMAIN Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: DcIpAddrss

675 AUDIT FAILURE Security Mon Mar 19 11:06:10 2007 NT AUTHORITY\SYSTEM Pre-authentication failed: User Name: UserName User ID: %{S-1-5-21-...FullUserID} Service Name: krbtgt/DOMAIN Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: DcIpAddrss

675 AUDIT FAILURE Security Mon Mar 19 11:06:10 2007 NT AUTHORITY\SYSTEM Pre-authentication failed: User Name: UserName User ID: %{S-1-5-21-...FullUserID} Service Name: krbtgt/DOMAIN Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: DcIpAddrss

675 AUDIT FAILURE Security Mon Mar 19 11:06:10 2007 NT AUTHORITY\SYSTEM Pre-authentication failed: User Name: UserName User ID: %{S-1-5-21-...FullUserID} Service Name: krbtgt/DOMAIN Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: DcIpAddrss

675 AUDIT FAILURE Security Mon Mar 19 11:06:10 2007 NT AUTHORITY\SYSTEM Pre-authentication failed: User Name: UserName User ID: %{S-1-5-21-...FullUserID} Service Name: krbtgt/DOMAIN Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: DcIpAddrss

675 AUDIT FAILURE Security Mon Mar 19 11:06:09 2007 NT AUTHORITY\SYSTEM Pre-authentication failed: User Name: UserName User ID: %{S-1-5-21-...FullUserID} Service Name: krbtgt/DOMAIN Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: DcIpAddrss

 

[WhoKilledKenny]

Is it possible that the user account has been used for a service. The user may have changed their password and the service is still attempting to use the old password, which would lock the account - depending on the amount of bad password attempts in your policy.

 

[KRPGroup]

We changed her computer and also had her use Citrix instead of her local apps. So I can't see how it could be a service.

This morning her account was locked out before 8am but she didn't arrive after 8am. When looking at the logs on a DC it is showing her username with a 675 Pre-authentication failed with a Client Address from another users computer. I check that computer logs see below.

Also we have 2 DC W2003, I am using LockoutStatus.exe. to monitor accounts and it seems that only 1 of the DC's ever shows bad password and lockout. This DC was the first one in the domain and is our Exch2003 server.

Workstation Log (Tab delimited for copy/paste into something easier to view)
User1 = Me (probably connecting to logs, never logged on locally)
User2 = TM (Computer Owner)
User3 = JB (another network user, never logged on locally)

538 AUDIT SUCCESS Security Tue Mar 20 09:00:07 2007 Domain\Administrator User Logoff: User Name: Administrator Domain: Domain Logon ID: (0x0 0x224F60) Logon Type: 3
540 AUDIT SUCCESS Security Tue Mar 20 09:00:04 2007 Domain\Administrator Successful Network Logon: User Name: Administrator Domain: Domain Logon ID: (0x0 0x224F60) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {b3a2cbd8-b9bb-...}
576 AUDIT SUCCESS Security Tue Mar 20 09:00:04 2007 Domain\Administrator Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0 0x224F60) Privileges: SeChangeNotifyPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege
538 AUDIT SUCCESS Security Tue Mar 20 08:59:11 2007 Domain\Administrator User Logoff: User Name: Administrator Domain: Domain Logon ID: (0x0 0x220CEE) Logon Type: 3
540 AUDIT SUCCESS Security Tue Mar 20 08:59:02 2007 Domain\Administrator Successful Network Logon: User Name: Administrator Domain: Domain Logon ID: (0x0 0x220CEE) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {55cb5eaa-...}
576 AUDIT SUCCESS Security Tue Mar 20 08:59:02 2007 Domain\Administrator Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0 0x220CEE) Privileges: SeChangeNotifyPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege
538 AUDIT SUCCESS Security Tue Mar 20 08:48:56 2007 Domain\Comp-260$ User Logoff: User Name: Comp-260$ Domain: Domain Logon ID: (0x0 0x1DBF35) Logon Type: 3
538 AUDIT SUCCESS Security Tue Mar 20 08:48:56 2007 Domain\User1 User Logoff: User Name: User1 Domain: Domain Logon ID: (0x0 0x1DBC6C) Logon Type: 3
540 AUDIT SUCCESS Security Tue Mar 20 08:48:48 2007 Domain\Comp-260$ Successful Network Logon: User Name: Comp-260$ Domain: Domain Logon ID: (0x0 0x1DBF35) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {3e860d9f-...}
576 AUDIT SUCCESS Security Tue Mar 20 08:48:48 2007 Domain\Comp-260$ Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0 0x1DBF35) Privileges: SeChangeNotifyPrivilege
540 AUDIT SUCCESS Security Tue Mar 20 08:48:45 2007 Domain\User1 Successful Network Logon: User Name: User1 Domain: Domain Logon ID: (0x0 0x1DBC6C) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: Comp-260 Logon GUID: {00000000-...}
576 AUDIT SUCCESS Security Tue Mar 20 08:48:45 2007 Domain\User1 Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0 0x1DBC6C) Privileges: SeChangeNotifyPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege
540 AUDIT SUCCESS Security Tue Mar 20 08:48:43 2007 Domain\User1 Successful Network Logon: User Name: User1 Domain: Domain Logon ID: (0x0 0x1DBAE3) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: Comp-260 Logon GUID: {00000000-...}
576 AUDIT SUCCESS Security Tue Mar 20 08:48:43 2007 Domain\User1 Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0 0x1DBAE3) Privileges: SeChangeNotifyPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege
538 AUDIT SUCCESS Security Tue Mar 20 08:15:15 2007 Domain\User3 User Logoff: User Name: User3 Domain: Domain Logon ID: (0x0 0x13C389) Logon Type: 3
540 AUDIT SUCCESS Security Tue Mar 20 08:15:10 2007 Domain\User3 Successful Network Logon: User Name: User3 Domain: Domain Logon ID: (0x0 0x13C389) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {c5b7e877-...}
576 AUDIT SUCCESS Security Tue Mar 20 08:15:10 2007 Domain\User3 Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0 0x13C389) Privileges: SeChangeNotifyPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege
576 AUDIT SUCCESS Security Tue Mar 20 07:52:16 2007 NT AUTHORITY\NETWORK SERVICE Special privileges assigned to new logon: User Name: NETWORK SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E4) Privileges: SeAuditPrivilege SeAssignPrimaryTokenPrivilege SeChangeNotifyPrivilege
528 AUDIT SUCCESS Security Tue Mar 20 07:52:16 2007 NT AUTHORITY\NETWORK SERVICE Successful Logon: User Name: NETWORK SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E4) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: Logon GUID: {00000000-...}
576 AUDIT SUCCESS Security Tue Mar 20 07:41:41 2007 NT AUTHORITY\NETWORK SERVICE Special privileges assigned to new logon: User Name: NETWORK SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E4) Privileges: SeAuditPrivilege SeAssignPrimaryTokenPrivilege SeChangeNotifyPrivilege
528 AUDIT SUCCESS Security Tue Mar 20 07:41:41 2007 NT AUTHORITY\NETWORK SERVICE Successful Logon: User Name: NETWORK SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E4) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: Logon GUID: {00000000-...}
576 AUDIT SUCCESS Security Tue Mar 20 07:41:41 2007 NT AUTHORITY\LOCAL SERVICE Special privileges assigned to new logon: User Name: LOCAL SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E5) Privileges: SeAuditPrivilege SeAssignPrimaryTokenPrivilege SeChangeNotifyPrivilege
528 AUDIT SUCCESS Security Tue Mar 20 07:41:41 2007 NT AUTHORITY\LOCAL SERVICE Successful Logon: User Name: LOCAL SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E5) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: Logon GUID: {00000000-...}
576 AUDIT SUCCESS Security Tue Mar 20 07:41:20 2007 NT AUTHORITY\NETWORK SERVICE Special privileges assigned to new logon: User Name: NETWORK SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E4) Privileges: SeAuditPrivilege SeAssignPrimaryTokenPrivilege SeChangeNotifyPrivilege
528 AUDIT SUCCESS Security Tue Mar 20 07:41:20 2007 NT AUTHORITY\NETWORK SERVICE Successful Logon: User Name: NETWORK SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E4) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: Logon GUID: {00000000-...}
576 AUDIT SUCCESS Security Tue Mar 20 07:40:07 2007 NT AUTHORITY\LOCAL SERVICE Special privileges assigned to new logon: User Name: LOCAL SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E5) Privileges: SeAuditPrivilege SeAssignPrimaryTokenPrivilege SeChangeNotifyPrivilege
528 AUDIT SUCCESS Security Tue Mar 20 07:40:07 2007 NT AUTHORITY\LOCAL SERVICE Successful Logon: User Name: LOCAL SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E5) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: Logon GUID: {00000000-...}
538 AUDIT SUCCESS Security Tue Mar 20 07:40:06 2007 NT AUTHORITY\SYSTEM User Logoff: User Name: Comp-121$ Domain: Domain Logon ID: (0x0 0x1D6E9) Logon Type: 3
540 AUDIT SUCCESS Security Tue Mar 20 07:40:06 2007 NT AUTHORITY\SYSTEM Successful Network Logon: User Name: Comp-121$ Domain: Domain Logon ID: (0x0 0x1D6E9) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {391a13f9-...}
576 AUDIT SUCCESS Security Tue Mar 20 07:40:06 2007 NT AUTHORITY\SYSTEM Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0 0x1D6E9) Privileges: SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeChangeNotifyPrivilege
538 AUDIT SUCCESS Security Tue Mar 20 07:40:06 2007 NT AUTHORITY\SYSTEM User Logoff: User Name: Comp-121$ Domain: Domain Logon ID: (0x0 0x1D0B9) Logon Type: 3
540 AUDIT SUCCESS Security Tue Mar 20 07:40:06 2007 NT AUTHORITY\SYSTEM Successful Network Logon: User Name: Comp-121$ Domain: Domain Logon ID: (0x0 0x1D0B9) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {391a13f9-...}
576 AUDIT SUCCESS Security Tue Mar 20 07:40:06 2007 NT AUTHORITY\SYSTEM Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0 0x1D0B9) Privileges: SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeChangeNotifyPrivilege
576 AUDIT SUCCESS Security Tue Mar 20 07:40:04 2007 NT AUTHORITY\LOCAL SERVICE Special privileges assigned to new logon: User Name: LOCAL SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E5) Privileges: SeAuditPrivilege SeAssignPrimaryTokenPrivilege SeChangeNotifyPrivilege
528 AUDIT SUCCESS Security Tue Mar 20 07:40:04 2007 NT AUTHORITY\LOCAL SERVICE Successful Logon: User Name: LOCAL SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E5) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: Logon GUID: {00000000-...}
576 AUDIT SUCCESS Security Tue Mar 20 07:39:54 2007 Domain\User2 Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0 0x162EC) Privileges: SeChangeNotifyPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege
528 AUDIT SUCCESS Security Tue Mar 20 07:39:54 2007 Domain\User2 Successful Logon: User Name: User2 Domain: Domain Logon ID: (0x0 0x162EC) Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name: Comp-121 Logon GUID: {37734437-91db-...}
538 AUDIT SUCCESS Security Tue Mar 20 07:39:54 2007 Domain\User2 User Logoff: User Name: User2 Domain: Domain Logon ID: (0x0 0x162C4) Logon Type: 11
576 AUDIT SUCCESS Security Tue Mar 20 07:39:54 2007 Domain\User2 Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0 0x162C4) Privileges: SeChangeNotifyPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege
528 AUDIT SUCCESS Security Tue Mar 20 07:39:54 2007 Domain\User2 Successful Logon: User Name: User2 Domain: Domain Logon ID: (0x0 0x162C4) Logon Type: 11 Logon Process: User32 Authentication Package: Negotiate Workstation Name: Comp-121 Logon GUID: {00000000-...}
576 AUDIT SUCCESS Security Tue Mar 20 07:39:54 2007 NT AUTHORITY\LOCAL SERVICE Special privileges assigned to new logon: User Name: LOCAL SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E5) Privileges: SeAuditPrivilege SeAssignPrimaryTokenPrivilege SeChangeNotifyPrivilege
528 AUDIT SUCCESS Security Tue Mar 20 07:39:54 2007 NT AUTHORITY\LOCAL SERVICE Successful Logon: User Name: LOCAL SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E5) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: Logon GUID: {00000000-...}
540 AUDIT SUCCESS Security Tue Mar 20 07:39:53 2007 NT AUTHORITY\ANONYMOUS LOGON Successful Network Logon: User Name: Domain: Logon ID: (0x0 0x12711) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: Logon GUID: {00000000-...}
576 AUDIT SUCCESS Security Tue Mar 20 07:39:53 2007 NT AUTHORITY\LOCAL SERVICE Special privileges assigned to new logon: User Name: LOCAL SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E5) Privileges: SeAuditPrivilege SeAssignPrimaryTokenPrivilege SeChangeNotifyPrivilege
528 AUDIT SUCCESS Security Tue Mar 20 07:39:53 2007 NT AUTHORITY\LOCAL SERVICE Successful Logon: User Name: LOCAL SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E5) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: Logon GUID: {00000000-...}
576 AUDIT SUCCESS Security Tue Mar 20 07:39:47 2007 NT AUTHORITY\LOCAL SERVICE Special privileges assigned to new logon: User Name: LOCAL SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E5) Privileges: SeAuditPrivilege SeAssignPrimaryTokenPrivilege SeChangeNotifyPrivilege
528 AUDIT SUCCESS Security Tue Mar 20 07:39:47 2007 NT AUTHORITY\LOCAL SERVICE Successful Logon: User Name: LOCAL SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E5) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: Logon GUID: {00000000-...}
576 AUDIT SUCCESS Security Tue Mar 20 07:39:46 2007 NT AUTHORITY\LOCAL SERVICE Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0 0x3E5) Privileges: SeAuditPrivilege SeAssignPrimaryTokenPrivilege SeChangeNotifyPrivilege
528 AUDIT SUCCESS Security Tue Mar 20 07:39:46 2007 NT AUTHORITY\LOCAL SERVICE Successful Logon: User Name: LOCAL SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E5) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: Logon GUID: {00000000-...}
576 AUDIT SUCCESS Security Tue Mar 20 07:39:46 2007 NT AUTHORITY\NETWORK SERVICE Special privileges assigned to new logon: User Name: NETWORK SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E4) Privileges: SeAuditPrivilege SeAssignPrimaryTokenPrivilege SeChangeNotifyPrivilege
528 AUDIT SUCCESS Security Tue Mar 20 07:39:46 2007 NT AUTHORITY\NETWORK SERVICE Successful Logon: User Name: NETWORK SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E4) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: Logon GUID: {00000000-...}
576 AUDIT SUCCESS Security Tue Mar 20 07:39:45 2007 NT AUTHORITY\NETWORK SERVICE Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0 0x3E4) Privileges: SeAuditPrivilege SeAssignPrimaryTokenPrivilege SeChangeNotifyPrivilege
528 AUDIT SUCCESS Security Tue Mar 20 07:39:45 2007 NT AUTHORITY\NETWORK SERVICE Successful Logon: User Name: NETWORK SERVICE Domain: NT AUTHORITY Logon ID: (0x0 0x3E4) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: Logon GUID: {00000000-...}

 

[WhoKilledKenny]

Pre-authentication failed; usually means bad password - as you know...

If it is coming from another computer, I have seen a couple of possibilites.

1. User at one time, before a password change, client has logged into the computer in question and either locked the computer or walked away from it while still logged on.

resolution: Find the computer in question and re-boot it, forcing it to logoff the current user.

2. Client is logged on, again walking away from the machine, and a screensaver has 'on resume, password protect' enabled. Again, client goes to another machine and changes AD password.

3. Someone at that workstation is trying to logon using the username.

 

[WhoKilledKenny]

Also we have 2 DC W2003, I am using LockoutStatus.exe. to monitor accounts and it seems that only 1 of the DC's ever shows bad password and lockout. This DC was the first one in the domain and is our Exch2003 server.

Only one DC will authenticate the user. So, depending on your environment and how AD sites and services are configured, this is more than likely normal.

 

[KRPGroup]

The one user is currently at 6 failed attempts so I connected to her system and ran the SET cmd and her logon server was the 2nd DC. I took this as this is the server authenticating her?

 

[WhoKilledKenny]

Yes, the logon server in the set command is the server that authenticated the client at last logon.

 

[KRPGroup]

As for your prev suggestion, the source Ip of the computer that was showing the failed logs has never been used by the user with the account lockout issue. That computer was in use at the time of logs by a regular user, she is the only user of that computer. There is no profile for the affected user there.

The server logs show several users that are getting the 675, 672 failed audits but so far there are only 2-3 staff that are triggering it enough to get locked out.

 

[KRPGroup]

Could there be a syncing problem with my 2 DC's? and how do i check or force a sync to see if there are any problems there.

I made another post regarding Dynamic DNS and thought this could be a part of the problem.

http://www.tek-tips.com/viewthread.cfm?qid=1347681&page=1

 

[WhoKilledKenny]

If it were a sync issue, you would be having more issue than just this one user account.
But to verify, check the Directory Service and File Replication service logs within Event viewer on each DC.
You can force replication from within AD Sites and Service MMC.

 

[WhoKilledKenny]

As for your prev suggestion, the source Ip of the computer that was showing the failed logs has never been used by the user with the account lockout issue. That computer was in use at the time of logs by a regular user, she is the only user of that computer. There is no profile for the affected user there.

The server logs show several users that are getting the 675, 672 failed audits but so far there are only 2-3 staff that are triggering it enough to get locked out.

Then it could be a virus or worm. Since you have the source IP, take the workstation off the network and see what happens. The workstation is trying to authenticate using that users username, somehow? If it is not a virus or a service on the workstation that is set to logon as... you could also check scheduled tasks to see if a task is attempting to run under that clients credentials. It also could be a presistant mapped network drive, set to the users account. It sounds like you know where the source is, now it the "what is cuasing it" that you have to troubleshoot.

 

[WhoKilledKenny]

also,

The server logs show several users that are getting the 675, 672 failed audits but so far there are only 2-3 staff that are triggering it enough to get locked out.

Are these errors comming from the same source IP? Is that the common factor?

 

[KRPGroup]

This are Failures only, you can see it is the same user, same events, dif IPs.
10.11 = DC
10.141 = wkst (not User1's, another staff)

I guess the question is what if any is a normal amount of these types of logs. I have only chosen a small example here but I have most of my users getting failed 672/675 errors throughout the day.

My server log is set to 160MB and it is full and only goes back 4 days.

One entry
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 3/20/2007
Time: 7:57:12 AM
User: NT AUTHORITY\SYSTEM
Computer: FSEXCH
Description:
Pre-authentication failed:
User Name: User1
User ID: Domain\User1
Service Name: krbtgt/Domain
Pre-Authentication Type: 0x2
Failure Code: 0x12
Client Address: 192.168.10.11



8 of these in a row
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 3/20/2007
Time: 7:57:12 AM
User: NT AUTHORITY\SYSTEM
Computer: FSEXCH
Description:
Pre-authentication failed:
User Name: User1
User ID: Domain\User1
Service Name: krbtgt/Domain
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 192.168.10.11



6 of these in a row
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 3/20/2007
Time: 10:01:52 AM
User: NT AUTHORITY\SYSTEM
Computer: FSEXCH
Description:
Pre-authentication failed:
User Name: User1
User ID: Domain\User1
Service Name: krbtgt/Domain
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 192.168.10.141




Blanks??? What does this indicate?
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 3/20/2007
Time: 6:52:16 AM
User: NT AUTHORITY\SYSTEM
Computer: FSEXCH
Description:
Service Ticket Request:
User Name:
User Domain:
Service Name:
Service ID: -
Ticket Options: 0x2
Ticket Encryption Type: -
Client Address: 192.168.10.2
Failure Code: 0x20
Logon GUID: -
Transited Services: -

 

[WhoKilledKenny]

Blanks??? What does this indicate?
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 3/20/2007
Time: 6:52:16 AM
User: NT AUTHORITY\SYSTEM
Computer: FSEXCH
Description:
Service Ticket Request:
User Name:
User Domain:
Service Name:
Service ID: -
Ticket Options: 0x2
Ticket Encryption Type: -
Client Address: 192.168.10.2
Failure Code: 0x20
Logon GUID: -
Transited Services: -

When you see "Service Ticket Request:" can be a couple of things. User failed when logging on remotely, User failed when trying to use a network service, User failed when trying to Map to a resource using a mapped drive.

https://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx#EIE

 

[WhoKilledKenny]

Here is an interesting article I found. See if it applies to your situation:

http://support.microsoft.com/kb/824905

 

[KRPGroup]

I have updated my DNS/DHCP settings as that was not working dynamically. I rebooted this DC and so far it seems to be settling down there has only been 18 failed 672/675 event in the last 3.5 hr(s).

I'll have to keep my eye on things, not sure if it was the reboot of the server?

 

[KRPGroup]

I may have narrowed it down, I am still testing.

Turns out our Document Mgt software, when opening, is passing the user's credentials of another staff member. Strange thing is that the other user has never logged on to this comptuer, no local profile. I am working with the vendor to see how/where these credentials are kept.

Thanks for all the help so far.

 

[WhoKilledKenny]

Good to hear... New it was something passing the credential. True a profile is created when a user logs on. But, you could set up a service to logon using a domain account, it will pass its credential. No requirement to log on to the station using that domain account for the service to start.