Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pre-Authentication logon errors since PWD change 1

Status
Not open for further replies.
1DMF

1DMF

Programmer
Jan 18, 2005
8,795
GB
Hi,

Since we changed the Admin password, the event viewer is getting full of failed pre-authentication errors for Administrator, having investigated I found the following info...
Explanation
The ticket-granting ticket (TGT) was not obtained. The reason is in the failure code, which is a translation of the RFC 1510 Kerberos error code.


User Action
No user action is required. For more information about the Kerberos protocol, refer to RFC 1510 at the Internet Engineering Taskforce Web site at:
Click to expand...

What does this mean, I wasn't getting the errors before the change, and any failed authentication where the Administrator account is concerned is an issue right?

Can someone advise what is causing these failures and how I fix the problem.

Thanks,
1DMF.




"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Sort by date Sort by votes
So what do they mean, and if I can just ignore them, why do they fill up the event viewer? Superflous logging makes no sense to me.

....however, since deleteing the incorrect DNS records I've now got...

The dynamic deletion of the DNS record '_kerberos._udp.ourdomain.local. 600 IN SRV 0 100 88 ourserver.ourdomain.local.' failed on the following DNS server: DNS server IP address: 192.168.0.1 Returned Response Code (RCODE): 5 Returned Status Code: 9017 USER ACTION To prevent remote computers from connecting unnecessarily to the domain controller, delete the record manually or troubleshoot the failure to dynamically delete the record. To learn more about debugging DNS, see Help and Support Center. ADDITIONAL DATA Error Value: DNS bad key.
Click to expand...


as well as more...
Source Event ID Last Occurrence Total Occurrences
Security 672 02/12/2008 11:53 1
Authentication Ticket Request:
User Name: username
Supplied Realm Name: ourdomain
User ID: -
Service Name: krbtgt/ourdomain
Service ID: -
Ticket Options: 0x40810010
Result Code: 0x17
Ticket Encryption Type: -
Pre-Authentication Type: -
Client Address: 192.168.0.2
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Click to expand...

So is this all linked somehow?

rogue DNS records, kerberos and pre-authentication ticketing?








"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Upvote 0 Downvote
I would turn down the security on your DNS updates, especially since you have an internal-only DNS server. Seems like some of the processes that need to dynamically register/unregister records aren't working.

And you might try stopping and starting the NetLogon service on your server and then running 'ipconfig /registerdns' to make sure that all the proper records get registered. In general DNS runs by itself and you shouldn't need to muck about in it, especially if you are using a .local domain name.

Dave Shackelford
Shackelford Consulting
 
Upvote 0 Downvote
Well all the DNS records seem to have been recreated ok, and i've added 'ipconfig /registerdns' to the default SBS_LOGIN_SCRIPT.bat , hopefully that'll will resolve any spurious DNS records going out of sync with DHCP on the firewall.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Upvote 0 Downvote
We are still getting these pre-authentication errors in the server report.

Security 675 08/12/2008 05:44 52 *
Pre-authentication failed:
User Name: Administrator
User ID: OUR_DOMAIN\Administrator
Service Name: krbtgt/OUR_DOMAIN
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1
Click to expand...

If these were going to just go away, should this not have happened by now being a week later?

Something must be trigering these. how do I work out what it is and resolve this issue?

Thanks,

1DMF.



"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Upvote 0 Downvote
Dave, How long should it take for these errors to go away?

It's been a month and we are still getting them...
Code: 
Source Event ID Last Occurrence Total Occurrences 
  Security 675 04/01/2009 05:38 177 * 
Pre-authentication failed: 
  User Name: Administrator 
  User ID: OURDOMAIN\Administrator 
  Service Name: krbtgt/OURDOMAIN
  Pre-Authentication Type: 0x2 
  Failure Code: 0x18 
  Client Address: 127.0.0.1

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
214
ADB100
ADB100
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
251
DrB0b
DrB0b
TECHMAN007
  • Locked
  • Question
RD Web Password Change
Replies
0
Views
142
TECHMAN007
TECHMAN007
DrB0b
  • Locked
  • Question
RDWeb server getting hit with odd logon requests....
Replies
1
Views
209
DrB0b
DrB0b
goombawaho
  • Locked
  • Question
How to open Change user role for user accounts wizard
Replies
2
Views
120
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top