I might as well ask, Event Viewer Failure audit Event ID 675

Hey guys, if anybody here is a network admin or have studied Audits in Event Viewer, you might have some feedback for me.

I am basically seeing failure audit Event ID 675 quite a bit on my Domain Controller's Event Viewer (and the backup DC), even though people aren't typing in bad passwords, are logging in fine, and don't seem to be reporting any problems accessing system resources. Is there a reason why i am getting so many failure audits still? They are mostly Pre-authentication failed, 675 event ID, and the Pre-Authentication Type is sometimes 0x0, mostly 0x2 and the Failure Code is 0x20, 0x25, but mostly 0x18

The servers are Win 2003, and the clients are mostly XP. We also have a few Macs, and they generate the same failure event the most. However it is the XP machines i am initially trying to figure out.

Do i need to change something in Active Directly? Or is it something in Doman Security settings? I know we have Kerberos policy activated (enforce user logon restrictions enabled), max lifetime for service ticket 600m, max lifetime for user ticket 10 hours, max lifetime for user ticket renewal: 7 days

I've read a lot on Microsofts's knowledge base, but it seems to talk about 675 as if is mostly because of bad password... but i checked with a few users to see if they mistakenly keep entering a bad password, and they said no.

Here is the failure audit one more time. Any help would be appreciated.
*****************************************
Failure adit - event ID 675

Pre-authentication failed:
User Name: b******n
User ID: CTU\b*******n
Service Name: krbtgt/CTU
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 192.168.10.155

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

forbesl

madboy wrote:

Hey guys, if anybody here is a network admin or have studied Audits in Event Viewer, you might have some feedback for me.

Like I said earlier, check out Microsoft TechNet. Here is the answer for your question on event id 675:

http://support.microsoft.com/kb/328570/en-us

madboy

Thanks for your help. I've been reading on that site quite a bit, but it's nice to have someone on a forum to discuss it with. That's why i asked that question earlier.

You'll have to forgive me, i am new to this job and i am doing it alone.

JDMurray

Googling "Failure audit - event ID 675" turns up this:

Which events does Windows 2000 log when authentication fails? When a user attempts to log on at a Windows 2000 Pro workstation and uses a valid domain account name but enters a bad password, the DC records event ID 675 (pre-authentication failed) with Failure Code 24 (0x1.

At: http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx