Security Failures after Password Change
in [Microsoft Exchange]
|
Prev: Old Exchange 2003 server no longer works since we removed and old DC
Next: 2007 exchange server address list service failed to respond
From: Zachary on 29 Oct 2009 15:05 According to the IP addresses listed you use IPv6 and IPv4 together on some machines? Explain to me where you see that please. On the only windows 2008 server we have IPv6 is disabled on the NIC. All other servers are either windows server 2000 or 2003 and aren't capable of IPv6. Are the time settings/time zones the same on all machines? Yes and all server are configured to sync to the PDC via NTP. Are any of the machines restored after a crash? No. None of the machines have been restored from a crash. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d8c5b8cc26de44ef06e4(a)msnews.microsoft.com... > Hello Zachary, > > Sorry for being late. > > According to the ip addresses listed you use IPv6 and IPv4 together on > some machines? > > Are the time settings/time zones the same on all machines? > > Are any of the machines restored after a crash? > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and > confers no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > >> Here is a status update. My exchange server is still throwing this >> error >> and every time it does it coralates to the next error that show up on >> our >> main DC. >> ----------------------------------------------------- >> Event Type: Failure Audit >> Event Source: Security >> Event Category: Logon/Logoff >> Event ID: 529 >> Date: 10/26/2009 >> Time: 3:36:37 PM >> User: NT AUTHORITY\SYSTEM >> Computer: AGRAEXCH >> Description: >> Logon Failure: >> Reason: Unknown user name or bad password >> User Name: Administrator >> Domain: AGRA >> Logon Type: 3 >> Logon Process: NtLmSsp >> Authentication Package: NTLM >> Workstation Name: AGRAEXCH >> Caller User Name: - >> Caller Domain: - >> Caller Logon ID: - >> Caller Process ID: - >> Transited Services: - >> Source Network Address: - >> Source Port: - >> ---------------------------------------------------- >> Log Name: Security >> Source: Microsoft-Windows-Security-Auditing >> Date: 10/26/2009 3:36:37 PM >> Event ID: 4776 >> Task Category: Credential Validation >> Level: Information >> Keywords: Audit Failure >> User: N/A >> Computer: AGRADC2.agraind.com >> Description: >> The domain controller attempted to validate the credentials for an >> account. >> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >> Logon Account: Administrator >> Source Workstation: AGRAEXCH >> Error Code: 0xc000006a >> --------------------------------------------------- >> Then the Syteutil server issues this error every 10 minutes and PID >> 4704 is >> w3wp.exe. This error coralates to the second error from our DC. >> --------------------------------------------------- >> Event Type: Failure Audit >> Event Source: Security >> Event Category: Logon/Logoff >> Event ID: 529 >> Date: 10/26/2009 >> Time: 3:40:07 PM >> User: NT AUTHORITY\SYSTEM >> Computer: SYTEUTIL >> Description: >> Logon Failure: >> Reason: Unknown user name or bad password >> User Name: administrator >> Domain: agra >> Logon Type: 3 >> Logon Process: Advapi >> Authentication Package: Negotiate >> Workstation Name: SYTEUTIL >> Caller User Name: NETWORK SERVICE >> Caller Domain: NT AUTHORITY >> Caller Logon ID: (0x0,0x3E4) >> Caller Process ID: 4704 >> Transited Services: - >> Source Network Address: - >> Source Port: - >> ---------------------------------------------------- >> Log Name: Security >> Source: Microsoft-Windows-Security-Auditing >> Date: 10/26/2009 3:40:07 PM >> Event ID: 4776 >> Task Category: Credential Validation >> Level: Information >> Keywords: Audit Failure >> User: N/A >> Computer: AGRADC2.agraind.com >> Description: >> The domain controller attempted to validate the credentials for an >> account. >> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >> Logon Account: administrator >> Source Workstation: SYTEUTIL >> Error Code: 0xc000006a >> ---------------------------------------------------- >> Then there is this error every 5 minutes, the ip listed is our second >> DC >> ---------------------------------------------------- >> Log Name: Security >> Source: Microsoft-Windows-Security-Auditing >> Date: 10/26/2009 3:32:21 PM >> Event ID: 4771 >> Task Category: Kerberos Authentication Service >> Level: Information >> Keywords: Audit Failure >> User: N/A >> Computer: AGRADC2.agraind.com >> Description: >> Kerberos pre-authentication failed. >> Account Information: >> Security ID: AGRA\Administrator >> Account Name: Administrator >> Service Information: >> Service Name: krbtgt/AGRA >> Network Information: >> Client Address: ::ffff:10.0.1.254 >> Client Port: 2010 >> Additional Information: >> Ticket Options: 0x40810010 >> Failure Code: 0x18 >> Pre-Authentication Type: 2 >> Certificate Information: >> Certificate Issuer Name: >> Certificate Serial Number: >> Certificate Thumbprint: >> Certificate information is only provided if a certificate was used for >> pre-authentication. >> >> Pre-authentication types, ticket options and failure codes are defined >> in RFC 4120. >> >> If the ticket was malformed or damaged during transit and could not be >> decrypted, then many fields in this event might not be present. >> --------------------------------------------------- >> >> Then there is this one that happens every 10 mins, the ip listed is >> our >> third DC >> --------------------------------------------------- >> Log Name: Security >> Source: Microsoft-Windows-Security-Auditing >> Date: 10/26/2009 3:30:06 PM >> Event ID: 4771 >> Task Category: Kerberos Authentication Service >> Level: Information >> Keywords: Audit Failure >> User: N/A >> Computer: AGRADC2.agraind.com >> Description: >> Kerberos pre-authentication failed. >> Account Information: >> Security ID: AGRA\Administrator >> Account Name: Administrator >> Service Information: >> Service Name: krbtgt/agra >> Network Information: >> Client Address: ::ffff:10.0.1.249 >> Client Port: 30051 >> Additional Information: >> Ticket Options: 0x40810010 >> Failure Code: 0x18 >> Pre-Authentication Type: 2 >> Certificate Information: >> Certificate Issuer Name: >> Certificate Serial Number: >> Certificate Thumbprint: >> Certificate information is only provided if a certificate was used for >> pre-authentication. >> >> Pre-authentication types, ticket options and failure codes are defined >> in RFC 4120. >> >> If the ticket was malformed or damaged during transit and could not be >> decrypted, then many fields in this event might not be present. >> --------------------------------------------------- >> >> Then there are two of these ever 10 minutes on our Main DC >> --------------------------------------------------- >> Log Name: Security >> Source: Microsoft-Windows-Security-Auditing >> Date: 10/26/2009 3:38:15 PM >> Event ID: 4769 >> Task Category: Kerberos Service Ticket Operations >> Level: Information >> Keywords: Audit Failure >> User: N/A >> Computer: AGRADC2.agraind.com >> Description: >> A Kerberos service ticket was requested. >> Account Information: >> Account Name: AGRADC2$@AGRAIND.COM >> Account Domain: AGRAIND.COM >> Logon GUID: {00000000-0000-0000-0000-000000000000} >> Service Information: >> Service Name: krbtgt/AGRAIND.COM >> Service ID: NULL SID >> Network Information: >> Client Address: ::1 >> Client Port: 0 >> Additional Information: >> Ticket Options: 0x60810010 >> Ticket Encryption Type: 0xffffffff >> Failure Code: 0xe >> Transited Services: - >> This event is generated every time access is requested to a resource >> such as a computer or a Windows service. The service name indicates >> the resource to which access was requested. >> >> This event can be correlated with Windows logon events by comparing >> the Logon GUID fields in each event. The logon event occurs on the >> machine that was accessed, which is often a different machine than the >> domain controller which issued the service ticket. >> >> Ticket options, encryption types, and failure codes are defined in RFC >> 4120. --------------------------------------------------- >> >> Are all of these related to the two member servers having problems or >> is this somthing deeper. >> >> "Zachary" <zdundore(a)agraind.com> wrote in message >> news:uLJxJAmVKHA.220(a)TK2MSFTNGP02.phx.gbl... >> >>> Found one of the culprits. The Exchange service account for legacy >>> access was set to the domain admin. This is found in the system >>> manager>Administrative Groups and then right click your >>> administrative group and on the general tab you will see this >>> setting. I am still recieving this error yet from the exchange >>> server: Any ideas? >>> >>> Event Type: Failure Audit >>> Event Source: Security >>> Event Category: Logon/Logoff >>> Event ID: 529 >>> Date: 10/26/2009 >>> Time: 12:11:34 PM >>> User: NT AUTHORITY\SYSTEM >>> Computer: AGRAEXCH >>> Description: >>> Logon Failure: >>> Reason: Unknown user name or bad password >>> User Name: Administrator >>> Domain: AGRA >>> Logon Type: 3 >>> Logon Process: NtLmSsp >>> Authentication Package: NTLM >>> Workstation Name: AGRAEXCH >>> Caller User Name: - >>> Caller Domain: - >>> Caller Logon ID: - >>> Caller Process ID: - >>> Transited Services: - >>> Source Network Address: - >>> Source Port: - >>> For more information, see Help and Support Center at >>> http://go.microsoft.com/fwlink/events.asp. >>> >>> "Zachary" <zdundore(a)agraind.com> wrote in message >>> news:OHVPB2lVKHA.1372(a)TK2MSFTNGP02.phx.gbl... >>> >>>> Additional references i have found. These describe my situation >>>> also but >>>> they have no solution. >>>> http://www.eggheadcafe.com/software/aspnet/33326223/msexchangesa-loc >>>> king-doma.aspx >>>> http://antionline.com/archive/index.php/t-272867.html >>>> "Zachary" <zdundore(a)agraind.com> wrote in message >>>> news:eJ$1QqlVKHA.1372(a)TK2MSFTNGP02.phx.gbl... >>>> >>>>> Cross posting this to an exchange group. >>>>> >>>>> "Zachary" <zdundore(a)agraind.com> wrote in message >>>>> news:ecI44ZlVKHA.2340(a)TK2MSFTNGP04.phx.gbl... >>>>> >>>>>> I found this error. When i look at PID 4968 it is mad.exe which >>>>>> points to the MSExchangeSA service. I looked in the services MMC >>>>>> and that service is set to log on as Local System. Why would it >>>>>> be trying to use the domain admin account? >>>>>> >>>>>> Event Type: Failure Audit >>>>>> Event Source: Security >>>>>> Event Category: Logon/Logoff >>>>>> Event ID: 529 >>>>>> Date: 10/26/2009 >>>>>> Time: 11:02:01 AM >>>>>> User: NT AUTHORITY\SYSTEM >>>>>> Computer: EXCHANGE >>>>>> Description: >>>>>> Logon Failure: >>>>>> Reason: Unknown user name or bad password >>>>>> User Name: Administrator >>>>>> Domain: DOMAIN >>>>>> Logon Type: 7 >>>>>> Logon Process: Advapi >>>>>> Authentication Package: Negotiate >>>>>> Workstation Name: EXCHANGE >>>>>> Caller User Name: EXCHANGE$ >>>>>> Caller Domain: DOMAIN >>>>>> Caller Logon ID: (0x0,0x3E7) >>>>>> Caller Process ID: 4968 >>>>>> Transited Services: - >>>>>> Source Network Address: - >>>>>> Source Port: - >>>>>> For more information, see Help and Support Center at >>>>>> http://go.microsoft.com/fwlink/events.asp. >>>>>> >>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>>>>> news:6cb2911d88a98cc246d902e505f(a)msnews.microsoft.com... >>>>>> >>>>>>> Hello Zachary, >>>>>>> >>>>>>> So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as >>>>>>> listed in the event viewer entries? >>>>>>> >>>>>>> Also listed "0xc000006a" is bad password. >>>>>>> >>>>>>> Best regards >>>>>>> >>>>>>> Meinolf Weber >>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>>>>> and >>>>>>> confers no rights. >>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>> ** HELP us help YOU!!! >>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>> Ok, with that being the case, is there more detailed auditing i >>>>>>>> can >>>>>>>> turn on >>>>>>>> to find out what service or app is attempting to make these >>>>>>>> authentications? >>>>>>>> When i look in the services mmc i don't see any services using >>>>>>>> the >>>>>>>> administrator account for validation and the only in house app >>>>>>>> being >>>>>>>> used is >>>>>>>> our intranet site and that is clean. >>>>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in >>>>>>>> message >>>>>>>> news:6cb2911d88a38cc246a772b26ea(a)msnews.microsoft.com... >>>>>>>>> Hello Zachary, >>>>>>>>> >>>>>>>>> The domain administrator will automatically unlock, after being >>>>>>>>> locked out >>>>>>>>> >>>>>>>>> as soon as the correct password is used. >>>>>>>>> >>>>>>>>> http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Def >>>>>>>>> ault-d omain-administrator-account-is-locked_21003F00_.aspx >>>>>>>>> >>>>>>>>> Best regards >>>>>>>>> >>>>>>>>> Meinolf Weber >>>>>>>>> Disclaimer: This posting is provided "AS IS" with no >>>>>>>>> warranties, and >>>>>>>>> confers no rights. >>>>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>>>> ** HELP us help YOU!!! >>>>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>>>> If that is the case, shouldn't the domain account be locked >>>>>>>>>> out? >>>>>>>>>> We >>>>>>>>>> have a lockout policy and if a service or app attempts to >>>>>>>>>> validate >>>>>>>>>> credentials that may time unsuccessfully it should lock the >>>>>>>>>> account >>>>>>>>>> out. >>>>>>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in >>>>>>>>>> message >>>>>>>>>> news:6cb2911d889b8cc24681c6128a8(a)msnews.microsoft.com... >>>>>>>>>> >>>>>>>>>>> Hello Zachary, >>>>>>>>>>> >>>>>>>>>>> Seems that there are still some services/applications running >>>>>>>>>>> that need the password change. See also: >>>>>>>>>>> http://chicagotech.net/netforums/viewtopic.php?t=4853 >>>>>>>>>>> >>>>>>>>>>> Best regards >>>>>>>>>>> >>>>>>>>>>> Meinolf Weber >>>>>>>>>>> Disclaimer: This posting is provided "AS IS" with no >>>>>>>>>>> warranties, >>>>>>>>>>> and >>>>>>>>>>> confers no rights. >>>>>>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>>>>>> ** HELP us help YOU!!! >>>>>>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>>>>>> Hi everyone, >>>>>>>>>>>> >>>>>>>>>>>> Recently I have performed a password change on the default >>>>>>>>>>>> domain administrator account. Before the change was made >>>>>>>>>>>> last Friday I made sure to find all services and scheduled >>>>>>>>>>>> tasks in our network that were using the domain admin >>>>>>>>>>>> account and changed them to use their own service account. >>>>>>>>>>>> After the change all system functionality has been restored. >>>>>>>>>>>> (I.E. Exchange, Blackberry, our ERP system, everything is >>>>>>>>>>>> working) On top of that, the domain admin account isn't >>>>>>>>>>>> getting locked out. That should mean that there isn't >>>>>>>>>>>> anything with a stored password attempting to use the old >>>>>>>>>>>> password. With all that said, however, I am still receiving >>>>>>>>>>>> security failures in the event viewer on our primary DC. >>>>>>>>>>>> The failures are below. Any help understanding these on >>>>>>>>>>>> these would be appreciated. >>>>>>>>>>>> >>>>>>>>>>>> FYI - In doing research on the 4771 events I have found that >>>>>>>>>>>> the failure code 0x18 usually means a bad password. What I >>>>>>>>>>>> don't understand is that the two IP addresses listed with >>>>>>>>>>>> those events are our backup DCs. >>>>>>>>>>>> >>>>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>>>> >>>>>>>>>>>> Log Name: Security >>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>> Date: 10/26/2009 8:32:08 AM >>>>>>>>>>>> Event ID: 4771 >>>>>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>>>>> Level: Information >>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>> User: N/A >>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>> Description: >>>>>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>>>>> Account Information: >>>>>>>>>>>> Security ID: domain\Administrator >>>>>>>>>>>> Account Name: Administrator >>>>>>>>>>>> Service Information: >>>>>>>>>>>> Service Name: krbtgt/domain >>>>>>>>>>>> Network Information: >>>>>>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>>>>>> Client Port: 4240 >>>>>>>>>>>> Additional Information: >>>>>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>>>>> Failure Code: 0x18 >>>>>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>>>>> Certificate Information: >>>>>>>>>>>> Certificate Issuer Name: >>>>>>>>>>>> Certificate Serial Number: >>>>>>>>>>>> Certificate Thumbprint: >>>>>>>>>>>> Certificate information is only provided if a certificate >>>>>>>>>>>> was >>>>>>>>>>>> used >>>>>>>>>>>> for >>>>>>>>>>>> pre-authentication. >>>>>>>>>>>> Pre-authentication types, ticket options and failure codes >>>>>>>>>>>> are >>>>>>>>>>>> defined in RFC 4120. >>>>>>>>>>>> If the ticket was malformed or damaged during transit and >>>>>>>>>>>> could >>>>>>>>>>>> not be decrypted, then many fields in this event might not >>>>>>>>>>>> be >>>>>>>>>>>> present. >>>>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>>>> - >>>>>>>>>>>> >>>>>>>>>>>> Log Name: Security >>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>> Date: 10/26/2009 8:32:07 AM >>>>>>>>>>>> Event ID: 4771 >>>>>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>>>>> Level: Information >>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>> User: N/A >>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>> Description: >>>>>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>>>>> Account Information: >>>>>>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>>>>>> Account Name: Administrator >>>>>>>>>>>> Service Information: >>>>>>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>>>>>> Network Information: >>>>>>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>>>>>> Client Port: 4238 >>>>>>>>>>>> Additional Information: >>>>>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>>>>> Failure Code: 0x18 >>>>>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>>>>> Certificate Information: >>>>>>>>>>>> Certificate Issuer Name: >>>>>>>>>>>> Certificate Serial Number: >>>>>>>>>>>> Certificate Thumbprint: >>>>>>>>>>>> Certificate information is only provided if a certificate >>>>>>>>>>>> was >>>>>>>>>>>> used >>>>>>>>>>>> for >>>>>>>>>>>> pre-authentication. >>>>>>>>>>>> Pre-authentication types, ticket options and failure codes >>>>>>>>>>>> are >>>>>>>>>>>> defined in RFC 4120. >>>>>>>>>>>> If the ticket was malformed or damaged during transit and >>>>>>>>>>>> could >>>>>>>>>>>> not be decrypted, then many fields in this event might not >>>>>>>>>>>> be >>>>>>>>>>>> present. >>>>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>>>> >>>>>>>>>>>> Log Name: Security >>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>> Date: 10/26/2009 8:32:01 AM >>>>>>>>>>>> Event ID: 4771 >>>>>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>>>>> Level: Information >>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>> User: N/A >>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>> Description: >>>>>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>>>>> Account Information: >>>>>>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>>>>>> Account Name: Administrator >>>>>>>>>>>> Service Information: >>>>>>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>>>>>> Network Information: >>>>>>>>>>>> Client Address: ::ffff:10.0.1.249 >>>>>>>>>>>> Client Port: 21106 >>>>>>>>>>>> Additional Information: >>>>>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>>>>> Failure Code: 0x18 >>>>>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>>>>> Certificate Information: >>>>>>>>>>>> Certificate Issuer Name: >>>>>>>>>>>> Certificate Serial Number: >>>>>>>>>>>> Certificate Thumbprint: >>>>>>>>>>>> Certificate information is only provided if a certificate >>>>>>>>>>>> was >>>>>>>>>>>> used >>>>>>>>>>>> for >>>>>>>>>>>> pre-authentication. >>>>>>>>>>>> Pre-authentication types, ticket options and failure codes >>>>>>>>>>>> are >>>>>>>>>>>> defined in RFC 4120. >>>>>>>>>>>> If the ticket was malformed or damaged during transit and >>>>>>>>>>>> could >>>>>>>>>>>> not be decrypted, then many fields in this event might not >>>>>>>>>>>> be >>>>>>>>>>>> present. >>>>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>>>> Log Name: Security >>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>> Date: 10/26/2009 8:31:31 AM >>>>>>>>>>>> Event ID: 4776 >>>>>>>>>>>> Task Category: Credential Validation >>>>>>>>>>>> Level: Information >>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>> User: N/A >>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>> Description: >>>>>>>>>>>> The domain controller attempted to validate the credentials >>>>>>>>>>>> for >>>>>>>>>>>> an >>>>>>>>>>>> account. >>>>>>>>>>>> Authentication Package: >>>>>>>>>>>> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>>>>> Logon Account: Administrator >>>>>>>>>>>> Source Workstation: EXCHANGESERVER >>>>>>>>>>>> Error Code: 0xc000006a >>>>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>>>> - >>>>>>>>>>>> Log Name: Security >>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>>>>>> Event ID: 4776 >>>>>>>>>>>> Task Category: Credential Validation >>>>>>>>>>>> Level: Information >>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>> User: N/A >>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>> Description: >>>>>>>>>>>> The domain controller attempted to validate the credentials >>>>>>>>>>>> for >>>>>>>>>>>> an >>>>>>>>>>>> account. >>>>>>>>>>>> Authentication Package: >>>>>>>>>>>> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>>>>> Logon Account: administrator >>>>>>>>>>>> Source Workstation: ERPSERVER >>>>>>>>>>>> Error Code: 0xc000006a >>>>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>>>> Log Name: Security >>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>>>>>> Event ID: 4776 >>>>>>>>>>>> Task Category: Credential Validation >>>>>>>>>>>> Level: Information >>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>> User: N/A >>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>> Description: >>>>>>>>>>>> The domain controller attempted to validate the credentials >>>>>>>>>>>> for >>>>>>>>>>>> an >>>>>>>>>>>> account. >>>>>>>>>>>> Authentication Package: >>>>>>>>>>>> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>>>>> Logon Account: administrator >>>>>>>>>>>> Source Workstation: SYTEUTIL >>>>>>>>>>>> Error Code: 0xc000006a >>>>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>>>> Log Name: Security >>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>> Date: 10/26/2009 8:27:01 AM >>>>>>>>>>>> Event ID: 4769 >>>>>>>>>>>> Task Category: Kerberos Service Ticket Operations >>>>>>>>>>>> Level: Information >>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>> User: N/A >>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>> Description: >>>>>>>>>>>> A Kerberos service ticket was requested. >>>>>>>>>>>> Account Information: >>>>>>>>>>>> Account Name: DC$@DOMAIN.COM >>>>>>>>>>>> Account Domain: DOMAIN.COM >>>>>>>>>>>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>>>>>>>>>>> Service Information: >>>>>>>>>>>> Service Name: krbtgt/DOMAIN.COM >>>>>>>>>>>> Service ID: NULL SID >>>>>>>>>>>> Network Information: >>>>>>>>>>>> Client Address: ::1 >>>>>>>>>>>> Client Port: 0 >>>>>>>>>>>> Additional Information: >>>>>>>>>>>> Ticket Options: 0x60810010 >>>>>>>>>>>> Ticket Encryption Type: 0xffffffff >>>>>>>>>>>> Failure Code: 0xe >>>>>>>>>>>> Transited Services: - >>>>>>>>>>>> This event is generated every time access is requested to a >>>>>>>>>>>> resource >>>>>>>>>>>> such as a computer or a Windows service. The service name >>>>>>>>>>>> indicates >>>>>>>>>>>> the resource to which access was requested. >>>>>>>>>>>> This event can be correlated with Windows logon events by >>>>>>>>>>>> comparing >>>>>>>>>>>> the Logon GUID fields in each event. The logon event occurs >>>>>>>>>>>> on >>>>>>>>>>>> the >>>>>>>>>>>> machine that was accessed, which is often a different >>>>>>>>>>>> machine >>>>>>>>>>>> than >>>>>>>>>>>> the domain controller which issued the service ticket. >>>>>>>>>>>> Ticket options, encryption types, and failure codes are >>>>>>>>>>>> defined >>>>>>>>>>>> in >>>>>>>>>>>> RFC 4120. > >
From: Meinolf Weber [MVP-DS] on 29 Oct 2009 19:24 Hello Zachary, Here is the 'client address' listed with both if i am not wrong: ------------------------------------- Computer: AGRADC2.agraind.com Description: Kerberos pre-authentication failed. Account Information: Security ID: AGRA\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/AGRA Network Information: Client Address: ::ffff:10.0.1.254 ------------------------------------- See for disabling IPv6: http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > According to the IP addresses listed you use IPv6 and IPv4 together on > some machines? > > Explain to me where you see that please. On the only windows 2008 > server we have IPv6 is disabled on the NIC. All other servers are > either windows server 2000 or 2003 and aren't capable of IPv6. > > Are the time settings/time zones the same on all machines? Yes and all > server are configured to sync to the PDC via NTP. > > Are any of the machines restored after a crash? > No. None of the machines have been restored from a crash. > "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message > news:6cb2911d8c5b8cc26de44ef06e4(a)msnews.microsoft.com... > >> Hello Zachary, >> >> Sorry for being late. >> >> According to the ip addresses listed you use IPv6 and IPv4 together >> on some machines? >> >> Are the time settings/time zones the same on all machines? >> >> Are any of the machines restored after a crash? >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>> Here is a status update. My exchange server is still throwing this >>> error >>> and every time it does it coralates to the next error that show up >>> on >>> our >>> main DC. >>> ----------------------------------------------------- >>> Event Type: Failure Audit >>> Event Source: Security >>> Event Category: Logon/Logoff >>> Event ID: 529 >>> Date: 10/26/2009 >>> Time: 3:36:37 PM >>> User: NT AUTHORITY\SYSTEM >>> Computer: AGRAEXCH >>> Description: >>> Logon Failure: >>> Reason: Unknown user name or bad password >>> User Name: Administrator >>> Domain: AGRA >>> Logon Type: 3 >>> Logon Process: NtLmSsp >>> Authentication Package: NTLM >>> Workstation Name: AGRAEXCH >>> Caller User Name: - >>> Caller Domain: - >>> Caller Logon ID: - >>> Caller Process ID: - >>> Transited Services: - >>> Source Network Address: - >>> Source Port: - >>> ---------------------------------------------------- >>> Log Name: Security >>> Source: Microsoft-Windows-Security-Auditing >>> Date: 10/26/2009 3:36:37 PM >>> Event ID: 4776 >>> Task Category: Credential Validation >>> Level: Information >>> Keywords: Audit Failure >>> User: N/A >>> Computer: AGRADC2.agraind.com >>> Description: >>> The domain controller attempted to validate the credentials for an >>> account. >>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>> Logon Account: Administrator >>> Source Workstation: AGRAEXCH >>> Error Code: 0xc000006a >>> --------------------------------------------------- >>> Then the Syteutil server issues this error every 10 minutes and PID >>> 4704 is >>> w3wp.exe. This error coralates to the second error from our DC. >>> --------------------------------------------------- >>> Event Type: Failure Audit >>> Event Source: Security >>> Event Category: Logon/Logoff >>> Event ID: 529 >>> Date: 10/26/2009 >>> Time: 3:40:07 PM >>> User: NT AUTHORITY\SYSTEM >>> Computer: SYTEUTIL >>> Description: >>> Logon Failure: >>> Reason: Unknown user name or bad password >>> User Name: administrator >>> Domain: agra >>> Logon Type: 3 >>> Logon Process: Advapi >>> Authentication Package: Negotiate >>> Workstation Name: SYTEUTIL >>> Caller User Name: NETWORK SERVICE >>> Caller Domain: NT AUTHORITY >>> Caller Logon ID: (0x0,0x3E4) >>> Caller Process ID: 4704 >>> Transited Services: - >>> Source Network Address: - >>> Source Port: - >>> ---------------------------------------------------- >>> Log Name: Security >>> Source: Microsoft-Windows-Security-Auditing >>> Date: 10/26/2009 3:40:07 PM >>> Event ID: 4776 >>> Task Category: Credential Validation >>> Level: Information >>> Keywords: Audit Failure >>> User: N/A >>> Computer: AGRADC2.agraind.com >>> Description: >>> The domain controller attempted to validate the credentials for an >>> account. >>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>> Logon Account: administrator >>> Source Workstation: SYTEUTIL >>> Error Code: 0xc000006a >>> ---------------------------------------------------- >>> Then there is this error every 5 minutes, the ip listed is our >>> second >>> DC >>> ---------------------------------------------------- >>> Log Name: Security >>> Source: Microsoft-Windows-Security-Auditing >>> Date: 10/26/2009 3:32:21 PM >>> Event ID: 4771 >>> Task Category: Kerberos Authentication Service >>> Level: Information >>> Keywords: Audit Failure >>> User: N/A >>> Computer: AGRADC2.agraind.com >>> Description: >>> Kerberos pre-authentication failed. >>> Account Information: >>> Security ID: AGRA\Administrator >>> Account Name: Administrator >>> Service Information: >>> Service Name: krbtgt/AGRA >>> Network Information: >>> Client Address: ::ffff:10.0.1.254 >>> Client Port: 2010 >>> Additional Information: >>> Ticket Options: 0x40810010 >>> Failure Code: 0x18 >>> Pre-Authentication Type: 2 >>> Certificate Information: >>> Certificate Issuer Name: >>> Certificate Serial Number: >>> Certificate Thumbprint: >>> Certificate information is only provided if a certificate was used >>> for >>> pre-authentication. >>> Pre-authentication types, ticket options and failure codes are >>> defined in RFC 4120. >>> >>> If the ticket was malformed or damaged during transit and could not >>> be decrypted, then many fields in this event might not be present. >>> --------------------------------------------------- >>> >>> Then there is this one that happens every 10 mins, the ip listed is >>> our >>> third DC >>> --------------------------------------------------- >>> Log Name: Security >>> Source: Microsoft-Windows-Security-Auditing >>> Date: 10/26/2009 3:30:06 PM >>> Event ID: 4771 >>> Task Category: Kerberos Authentication Service >>> Level: Information >>> Keywords: Audit Failure >>> User: N/A >>> Computer: AGRADC2.agraind.com >>> Description: >>> Kerberos pre-authentication failed. >>> Account Information: >>> Security ID: AGRA\Administrator >>> Account Name: Administrator >>> Service Information: >>> Service Name: krbtgt/agra >>> Network Information: >>> Client Address: ::ffff:10.0.1.249 >>> Client Port: 30051 >>> Additional Information: >>> Ticket Options: 0x40810010 >>> Failure Code: 0x18 >>> Pre-Authentication Type: 2 >>> Certificate Information: >>> Certificate Issuer Name: >>> Certificate Serial Number: >>> Certificate Thumbprint: >>> Certificate information is only provided if a certificate was used >>> for >>> pre-authentication. >>> Pre-authentication types, ticket options and failure codes are >>> defined in RFC 4120. >>> >>> If the ticket was malformed or damaged during transit and could not >>> be decrypted, then many fields in this event might not be present. >>> --------------------------------------------------- >>> >>> Then there are two of these ever 10 minutes on our Main DC >>> --------------------------------------------------- >>> Log Name: Security >>> Source: Microsoft-Windows-Security-Auditing >>> Date: 10/26/2009 3:38:15 PM >>> Event ID: 4769 >>> Task Category: Kerberos Service Ticket Operations >>> Level: Information >>> Keywords: Audit Failure >>> User: N/A >>> Computer: AGRADC2.agraind.com >>> Description: >>> A Kerberos service ticket was requested. >>> Account Information: >>> Account Name: AGRADC2$@AGRAIND.COM >>> Account Domain: AGRAIND.COM >>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>> Service Information: >>> Service Name: krbtgt/AGRAIND.COM >>> Service ID: NULL SID >>> Network Information: >>> Client Address: ::1 >>> Client Port: 0 >>> Additional Information: >>> Ticket Options: 0x60810010 >>> Ticket Encryption Type: 0xffffffff >>> Failure Code: 0xe >>> Transited Services: - >>> This event is generated every time access is requested to a resource >>> such as a computer or a Windows service. The service name indicates >>> the resource to which access was requested. >>> This event can be correlated with Windows logon events by comparing >>> the Logon GUID fields in each event. The logon event occurs on the >>> machine that was accessed, which is often a different machine than >>> the domain controller which issued the service ticket. >>> >>> Ticket options, encryption types, and failure codes are defined in >>> RFC 4120. --------------------------------------------------- >>> >>> Are all of these related to the two member servers having problems >>> or is this somthing deeper. >>> >>> "Zachary" <zdundore(a)agraind.com> wrote in message >>> news:uLJxJAmVKHA.220(a)TK2MSFTNGP02.phx.gbl... >>>> Found one of the culprits. The Exchange service account for legacy >>>> access was set to the domain admin. This is found in the system >>>> manager>Administrative Groups and then right click your >>>> administrative group and on the general tab you will see this >>>> setting. I am still recieving this error yet from the exchange >>>> server: Any ideas? >>>> >>>> Event Type: Failure Audit >>>> Event Source: Security >>>> Event Category: Logon/Logoff >>>> Event ID: 529 >>>> Date: 10/26/2009 >>>> Time: 12:11:34 PM >>>> User: NT AUTHORITY\SYSTEM >>>> Computer: AGRAEXCH >>>> Description: >>>> Logon Failure: >>>> Reason: Unknown user name or bad password >>>> User Name: Administrator >>>> Domain: AGRA >>>> Logon Type: 3 >>>> Logon Process: NtLmSsp >>>> Authentication Package: NTLM >>>> Workstation Name: AGRAEXCH >>>> Caller User Name: - >>>> Caller Domain: - >>>> Caller Logon ID: - >>>> Caller Process ID: - >>>> Transited Services: - >>>> Source Network Address: - >>>> Source Port: - >>>> For more information, see Help and Support Center at >>>> http://go.microsoft.com/fwlink/events.asp. >>>> "Zachary" <zdundore(a)agraind.com> wrote in message >>>> news:OHVPB2lVKHA.1372(a)TK2MSFTNGP02.phx.gbl... >>>>> Additional references i have found. These describe my situation >>>>> also but >>>>> they have no solution. >>>>> http://www.eggheadcafe.com/software/aspnet/33326223/msexchangesa-l >>>>> oc >>>>> king-doma.aspx >>>>> http://antionline.com/archive/index.php/t-272867.html >>>>> "Zachary" <zdundore(a)agraind.com> wrote in message >>>>> news:eJ$1QqlVKHA.1372(a)TK2MSFTNGP02.phx.gbl... >>>>>> Cross posting this to an exchange group. >>>>>> >>>>>> "Zachary" <zdundore(a)agraind.com> wrote in message >>>>>> news:ecI44ZlVKHA.2340(a)TK2MSFTNGP04.phx.gbl... >>>>>>> I found this error. When i look at PID 4968 it is mad.exe which >>>>>>> points to the MSExchangeSA service. I looked in the services >>>>>>> MMC and that service is set to log on as Local System. Why >>>>>>> would it be trying to use the domain admin account? >>>>>>> >>>>>>> Event Type: Failure Audit >>>>>>> Event Source: Security >>>>>>> Event Category: Logon/Logoff >>>>>>> Event ID: 529 >>>>>>> Date: 10/26/2009 >>>>>>> Time: 11:02:01 AM >>>>>>> User: NT AUTHORITY\SYSTEM >>>>>>> Computer: EXCHANGE >>>>>>> Description: >>>>>>> Logon Failure: >>>>>>> Reason: Unknown user name or bad password >>>>>>> User Name: Administrator >>>>>>> Domain: DOMAIN >>>>>>> Logon Type: 7 >>>>>>> Logon Process: Advapi >>>>>>> Authentication Package: Negotiate >>>>>>> Workstation Name: EXCHANGE >>>>>>> Caller User Name: EXCHANGE$ >>>>>>> Caller Domain: DOMAIN >>>>>>> Caller Logon ID: (0x0,0x3E7) >>>>>>> Caller Process ID: 4968 >>>>>>> Transited Services: - >>>>>>> Source Network Address: - >>>>>>> Source Port: - >>>>>>> For more information, see Help and Support Center at >>>>>>> http://go.microsoft.com/fwlink/events.asp. >>>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in >>>>>>> message news:6cb2911d88a98cc246d902e505f(a)msnews.microsoft.com... >>>>>>> >>>>>>>> Hello Zachary, >>>>>>>> >>>>>>>> So you checked all DCs and servers, Exchange, ERP and SYTEUTIL >>>>>>>> as listed in the event viewer entries? >>>>>>>> >>>>>>>> Also listed "0xc000006a" is bad password. >>>>>>>> >>>>>>>> Best regards >>>>>>>> >>>>>>>> Meinolf Weber >>>>>>>> Disclaimer: This posting is provided "AS IS" with no >>>>>>>> warranties, >>>>>>>> and >>>>>>>> confers no rights. >>>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>>> ** HELP us help YOU!!! >>>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>>> Ok, with that being the case, is there more detailed auditing >>>>>>>>> i >>>>>>>>> can >>>>>>>>> turn on >>>>>>>>> to find out what service or app is attempting to make these >>>>>>>>> authentications? >>>>>>>>> When i look in the services mmc i don't see any services using >>>>>>>>> the >>>>>>>>> administrator account for validation and the only in house app >>>>>>>>> being >>>>>>>>> used is >>>>>>>>> our intranet site and that is clean. >>>>>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in >>>>>>>>> message >>>>>>>>> news:6cb2911d88a38cc246a772b26ea(a)msnews.microsoft.com... >>>>>>>>>> Hello Zachary, >>>>>>>>>> >>>>>>>>>> The domain administrator will automatically unlock, after >>>>>>>>>> being locked out >>>>>>>>>> >>>>>>>>>> as soon as the correct password is used. >>>>>>>>>> >>>>>>>>>> http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-D >>>>>>>>>> ef ault-d >>>>>>>>>> omain-administrator-account-is-locked_21003F00_.aspx >>>>>>>>>> >>>>>>>>>> Best regards >>>>>>>>>> >>>>>>>>>> Meinolf Weber >>>>>>>>>> Disclaimer: This posting is provided "AS IS" with no >>>>>>>>>> warranties, and >>>>>>>>>> confers no rights. >>>>>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>>>>> ** HELP us help YOU!!! >>>>>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>>>>> If that is the case, shouldn't the domain account be locked >>>>>>>>>>> out? >>>>>>>>>>> We >>>>>>>>>>> have a lockout policy and if a service or app attempts to >>>>>>>>>>> validate >>>>>>>>>>> credentials that may time unsuccessfully it should lock the >>>>>>>>>>> account >>>>>>>>>>> out. >>>>>>>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in >>>>>>>>>>> message >>>>>>>>>>> news:6cb2911d889b8cc24681c6128a8(a)msnews.microsoft.com... >>>>>>>>>>>> Hello Zachary, >>>>>>>>>>>> >>>>>>>>>>>> Seems that there are still some services/applications >>>>>>>>>>>> running that need the password change. See also: >>>>>>>>>>>> http://chicagotech.net/netforums/viewtopic.php?t=4853 >>>>>>>>>>>> >>>>>>>>>>>> Best regards >>>>>>>>>>>> >>>>>>>>>>>> Meinolf Weber >>>>>>>>>>>> Disclaimer: This posting is provided "AS IS" with no >>>>>>>>>>>> warranties, >>>>>>>>>>>> and >>>>>>>>>>>> confers no rights. >>>>>>>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>>>>>>> ** HELP us help YOU!!! >>>>>>>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>>>>>>> Hi everyone, >>>>>>>>>>>>> >>>>>>>>>>>>> Recently I have performed a password change on the default >>>>>>>>>>>>> domain administrator account. Before the change was made >>>>>>>>>>>>> last Friday I made sure to find all services and scheduled >>>>>>>>>>>>> tasks in our network that were using the domain admin >>>>>>>>>>>>> account and changed them to use their own service account. >>>>>>>>>>>>> After the change all system functionality has been >>>>>>>>>>>>> restored. >>>>>>>>>>>>> (I.E. Exchange, Blackberry, our ERP system, everything is >>>>>>>>>>>>> working) On top of that, the domain admin account isn't >>>>>>>>>>>>> getting locked out. That should mean that there isn't >>>>>>>>>>>>> anything with a stored password attempting to use the old >>>>>>>>>>>>> password. With all that said, however, I am still >>>>>>>>>>>>> receiving >>>>>>>>>>>>> security failures in the event viewer on our primary DC. >>>>>>>>>>>>> The failures are below. Any help understanding these on >>>>>>>>>>>>> these would be appreciated. >>>>>>>>>>>>> FYI - In doing research on the 4771 events I have found >>>>>>>>>>>>> that the failure code 0x18 usually means a bad password. >>>>>>>>>>>>> What I don't understand is that the two IP addresses >>>>>>>>>>>>> listed with those events are our backup DCs. >>>>>>>>>>>>> >>>>>>>>>>>>> ---------------------------------------------------------- >>>>>>>>>>>>> -- >>>>>>>>>>>>> >>>>>>>>>>>>> Log Name: Security >>>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>>> Date: 10/26/2009 8:32:08 AM >>>>>>>>>>>>> Event ID: 4771 >>>>>>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>>>>>> Level: Information >>>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>>> User: N/A >>>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>>> Description: >>>>>>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>>>>>> Account Information: >>>>>>>>>>>>> Security ID: domain\Administrator >>>>>>>>>>>>> Account Name: Administrator >>>>>>>>>>>>> Service Information: >>>>>>>>>>>>> Service Name: krbtgt/domain >>>>>>>>>>>>> Network Information: >>>>>>>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>>>>>>> Client Port: 4240 >>>>>>>>>>>>> Additional Information: >>>>>>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>>>>>> Failure Code: 0x18 >>>>>>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>>>>>> Certificate Information: >>>>>>>>>>>>> Certificate Issuer Name: >>>>>>>>>>>>> Certificate Serial Number: >>>>>>>>>>>>> Certificate Thumbprint: >>>>>>>>>>>>> Certificate information is only provided if a certificate >>>>>>>>>>>>> was >>>>>>>>>>>>> used >>>>>>>>>>>>> for >>>>>>>>>>>>> pre-authentication. >>>>>>>>>>>>> Pre-authentication types, ticket options and failure codes >>>>>>>>>>>>> are >>>>>>>>>>>>> defined in RFC 4120. >>>>>>>>>>>>> If the ticket was malformed or damaged during transit and >>>>>>>>>>>>> could >>>>>>>>>>>>> not be decrypted, then many fields in this event might not >>>>>>>>>>>>> be >>>>>>>>>>>>> present. >>>>>>>>>>>>> ---------------------------------------------------------- >>>>>>>>>>>>> -- >>>>>>>>>>>>> - >>>>>>>>>>>>> Log Name: Security >>>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>>> Date: 10/26/2009 8:32:07 AM >>>>>>>>>>>>> Event ID: 4771 >>>>>>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>>>>>> Level: Information >>>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>>> User: N/A >>>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>>> Description: >>>>>>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>>>>>> Account Information: >>>>>>>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>>>>>>> Account Name: Administrator >>>>>>>>>>>>> Service Information: >>>>>>>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>>>>>>> Network Information: >>>>>>>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>>>>>>> Client Port: 4238 >>>>>>>>>>>>> Additional Information: >>>>>>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>>>>>> Failure Code: 0x18 >>>>>>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>>>>>> Certificate Information: >>>>>>>>>>>>> Certificate Issuer Name: >>>>>>>>>>>>> Certificate Serial Number: >>>>>>>>>>>>> Certificate Thumbprint: >>>>>>>>>>>>> Certificate information is only provided if a certificate >>>>>>>>>>>>> was >>>>>>>>>>>>> used >>>>>>>>>>>>> for >>>>>>>>>>>>> pre-authentication. >>>>>>>>>>>>> Pre-authentication types, ticket options and failure codes >>>>>>>>>>>>> are >>>>>>>>>>>>> defined in RFC 4120. >>>>>>>>>>>>> If the ticket was malformed or damaged during transit and >>>>>>>>>>>>> could >>>>>>>>>>>>> not be decrypted, then many fields in this event might not >>>>>>>>>>>>> be >>>>>>>>>>>>> present. >>>>>>>>>>>>> ---------------------------------------------------------- >>>>>>>>>>>>> -- >>>>>>>>>>>>> Log Name: Security >>>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>>> Date: 10/26/2009 8:32:01 AM >>>>>>>>>>>>> Event ID: 4771 >>>>>>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>>>>>> Level: Information >>>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>>> User: N/A >>>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>>> Description: >>>>>>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>>>>>> Account Information: >>>>>>>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>>>>>>> Account Name: Administrator >>>>>>>>>>>>> Service Information: >>>>>>>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>>>>>>> Network Information: >>>>>>>>>>>>> Client Address: ::ffff:10.0.1.249 >>>>>>>>>>>>> Client Port: 21106 >>>>>>>>>>>>> Additional Information: >>>>>>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>>>>>> Failure Code: 0x18 >>>>>>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>>>>>> Certificate Information: >>>>>>>>>>>>> Certificate Issuer Name: >>>>>>>>>>>>> Certificate Serial Number: >>>>>>>>>>>>> Certificate Thumbprint: >>>>>>>>>>>>> Certificate information is only provided if a certificate >>>>>>>>>>>>> was >>>>>>>>>>>>> used >>>>>>>>>>>>> for >>>>>>>>>>>>> pre-authentication. >>>>>>>>>>>>> Pre-authentication types, ticket options and failure codes >>>>>>>>>>>>> are >>>>>>>>>>>>> defined in RFC 4120. >>>>>>>>>>>>> If the ticket was malformed or damaged during transit and >>>>>>>>>>>>> could >>>>>>>>>>>>> not be decrypted, then many fields in this event might not >>>>>>>>>>>>> be >>>>>>>>>>>>> present. >>>>>>>>>>>>> ---------------------------------------------------------- >>>>>>>>>>>>> -- >>>>>>>>>>>>> Log Name: Security >>>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>>> Date: 10/26/2009 8:31:31 AM >>>>>>>>>>>>> Event ID: 4776 >>>>>>>>>>>>> Task Category: Credential Validation >>>>>>>>>>>>> Level: Information >>>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>>> User: N/A >>>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>>> Description: >>>>>>>>>>>>> The domain controller attempted to validate the >>>>>>>>>>>>> credentials >>>>>>>>>>>>> for >>>>>>>>>>>>> an >>>>>>>>>>>>> account. >>>>>>>>>>>>> Authentication Package: >>>>>>>>>>>>> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>>>>>> Logon Account: Administrator >>>>>>>>>>>>> Source Workstation: EXCHANGESERVER >>>>>>>>>>>>> Error Code: 0xc000006a >>>>>>>>>>>>> ---------------------------------------------------------- >>>>>>>>>>>>> -- >>>>>>>>>>>>> - >>>>>>>>>>>>> Log Name: Security >>>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>>>>>>> Event ID: 4776 >>>>>>>>>>>>> Task Category: Credential Validation >>>>>>>>>>>>> Level: Information >>>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>>> User: N/A >>>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>>> Description: >>>>>>>>>>>>> The domain controller attempted to validate the >>>>>>>>>>>>> credentials >>>>>>>>>>>>> for >>>>>>>>>>>>> an >>>>>>>>>>>>> account. >>>>>>>>>>>>> Authentication Package: >>>>>>>>>>>>> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>>>>>> Logon Account: administrator >>>>>>>>>>>>> Source Workstation: ERPSERVER >>>>>>>>>>>>> Error Code: 0xc000006a >>>>>>>>>>>>> ---------------------------------------------------------- >>>>>>>>>>>>> -- >>>>>>>>>>>>> Log Name: Security >>>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>>>>>>> Event ID: 4776 >>>>>>>>>>>>> Task Category: Credential Validation >>>>>>>>>>>>> Level: Information >>>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>>> User: N/A >>>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>>> Description: >>>>>>>>>>>>> The domain controller attempted to validate the >>>>>>>>>>>>> credentials >>>>>>>>>>>>> for >>>>>>>>>>>>> an >>>>>>>>>>>>> account. >>>>>>>>>>>>> Authentication Package: >>>>>>>>>>>>> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>>>>>> Logon Account: administrator >>>>>>>>>>>>> Source Workstation: SYTEUTIL >>>>>>>>>>>>> Error Code: 0xc000006a >>>>>>>>>>>>> ---------------------------------------------------------- >>>>>>>>>>>>> -- >>>>>>>>>>>>> Log Name: Security >>>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>>> Date: 10/26/2009 8:27:01 AM >>>>>>>>>>>>> Event ID: 4769 >>>>>>>>>>>>> Task Category: Kerberos Service Ticket Operations >>>>>>>>>>>>> Level: Information >>>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>>> User: N/A >>>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>>> Description: >>>>>>>>>>>>> A Kerberos service ticket was requested. >>>>>>>>>>>>> Account Information: >>>>>>>>>>>>> Account Name: DC$@DOMAIN.COM >>>>>>>>>>>>> Account Domain: DOMAIN.COM >>>>>>>>>>>>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>>>>>>>>>>>> Service Information: >>>>>>>>>>>>> Service Name: krbtgt/DOMAIN.COM >>>>>>>>>>>>> Service ID: NULL SID >>>>>>>>>>>>> Network Information: >>>>>>>>>>>>> Client Address: ::1 >>>>>>>>>>>>> Client Port: 0 >>>>>>>>>>>>> Additional Information: >>>>>>>>>>>>> Ticket Options: 0x60810010 >>>>>>>>>>>>> Ticket Encryption Type: 0xffffffff >>>>>>>>>>>>> Failure Code: 0xe >>>>>>>>>>>>> Transited Services: - >>>>>>>>>>>>> This event is generated every time access is requested to >>>>>>>>>>>>> a >>>>>>>>>>>>> resource >>>>>>>>>>>>> such as a computer or a Windows service. The service name >>>>>>>>>>>>> indicates >>>>>>>>>>>>> the resource to which access was requested. >>>>>>>>>>>>> This event can be correlated with Windows logon events by >>>>>>>>>>>>> comparing >>>>>>>>>>>>> the Logon GUID fields in each event. The logon event >>>>>>>>>>>>> occurs >>>>>>>>>>>>> on >>>>>>>>>>>>> the >>>>>>>>>>>>> machine that was accessed, which is often a different >>>>>>>>>>>>> machine >>>>>>>>>>>>> than >>>>>>>>>>>>> the domain controller which issued the service ticket. >>>>>>>>>>>>> Ticket options, encryption types, and failure codes are >>>>>>>>>>>>> defined >>>>>>>>>>>>> in >>>>>>>>>>>>> RFC 4120.
From: Zachary on 30 Oct 2009 15:02
i have performed the steps on the link you provided. I already had one of the three steps done. Does this need a reboot to take effect? If that is the case, updates are scheduled to run tomorrow at 3 AM so that should force a reboot. I will see if that clears this up then. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:6cb2911d8cd78cc270e8271d19b(a)msnews.microsoft.com... > Hello Zachary, > > Here is the 'client address' listed with both if i am not wrong: > ------------------------------------- > Computer: AGRADC2.agraind.com > Description: > Kerberos pre-authentication failed. > > Account Information: > Security ID: AGRA\Administrator > Account Name: Administrator > > Service Information: > Service Name: krbtgt/AGRA > > Network Information: > Client Address: ::ffff:10.0.1.254 > ------------------------------------- > > See for disabling IPv6: > http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and > confers no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > >> According to the IP addresses listed you use IPv6 and IPv4 together on >> some machines? >> >> Explain to me where you see that please. On the only windows 2008 >> server we have IPv6 is disabled on the NIC. All other servers are >> either windows server 2000 or 2003 and aren't capable of IPv6. >> >> Are the time settings/time zones the same on all machines? Yes and all >> server are configured to sync to the PDC via NTP. >> >> Are any of the machines restored after a crash? >> No. None of the machines have been restored from a crash. >> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >> news:6cb2911d8c5b8cc26de44ef06e4(a)msnews.microsoft.com... >> >>> Hello Zachary, >>> >>> Sorry for being late. >>> >>> According to the ip addresses listed you use IPv6 and IPv4 together >>> on some machines? >>> >>> Are the time settings/time zones the same on all machines? >>> >>> Are any of the machines restored after a crash? >>> >>> Best regards >>> >>> Meinolf Weber >>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>> confers no rights. >>> ** Please do NOT email, only reply to Newsgroups >>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>> Here is a status update. My exchange server is still throwing this >>>> error >>>> and every time it does it coralates to the next error that show up >>>> on >>>> our >>>> main DC. >>>> ----------------------------------------------------- >>>> Event Type: Failure Audit >>>> Event Source: Security >>>> Event Category: Logon/Logoff >>>> Event ID: 529 >>>> Date: 10/26/2009 >>>> Time: 3:36:37 PM >>>> User: NT AUTHORITY\SYSTEM >>>> Computer: AGRAEXCH >>>> Description: >>>> Logon Failure: >>>> Reason: Unknown user name or bad password >>>> User Name: Administrator >>>> Domain: AGRA >>>> Logon Type: 3 >>>> Logon Process: NtLmSsp >>>> Authentication Package: NTLM >>>> Workstation Name: AGRAEXCH >>>> Caller User Name: - >>>> Caller Domain: - >>>> Caller Logon ID: - >>>> Caller Process ID: - >>>> Transited Services: - >>>> Source Network Address: - >>>> Source Port: - >>>> ---------------------------------------------------- >>>> Log Name: Security >>>> Source: Microsoft-Windows-Security-Auditing >>>> Date: 10/26/2009 3:36:37 PM >>>> Event ID: 4776 >>>> Task Category: Credential Validation >>>> Level: Information >>>> Keywords: Audit Failure >>>> User: N/A >>>> Computer: AGRADC2.agraind.com >>>> Description: >>>> The domain controller attempted to validate the credentials for an >>>> account. >>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>> Logon Account: Administrator >>>> Source Workstation: AGRAEXCH >>>> Error Code: 0xc000006a >>>> --------------------------------------------------- >>>> Then the Syteutil server issues this error every 10 minutes and PID >>>> 4704 is >>>> w3wp.exe. This error coralates to the second error from our DC. >>>> --------------------------------------------------- >>>> Event Type: Failure Audit >>>> Event Source: Security >>>> Event Category: Logon/Logoff >>>> Event ID: 529 >>>> Date: 10/26/2009 >>>> Time: 3:40:07 PM >>>> User: NT AUTHORITY\SYSTEM >>>> Computer: SYTEUTIL >>>> Description: >>>> Logon Failure: >>>> Reason: Unknown user name or bad password >>>> User Name: administrator >>>> Domain: agra >>>> Logon Type: 3 >>>> Logon Process: Advapi >>>> Authentication Package: Negotiate >>>> Workstation Name: SYTEUTIL >>>> Caller User Name: NETWORK SERVICE >>>> Caller Domain: NT AUTHORITY >>>> Caller Logon ID: (0x0,0x3E4) >>>> Caller Process ID: 4704 >>>> Transited Services: - >>>> Source Network Address: - >>>> Source Port: - >>>> ---------------------------------------------------- >>>> Log Name: Security >>>> Source: Microsoft-Windows-Security-Auditing >>>> Date: 10/26/2009 3:40:07 PM >>>> Event ID: 4776 >>>> Task Category: Credential Validation >>>> Level: Information >>>> Keywords: Audit Failure >>>> User: N/A >>>> Computer: AGRADC2.agraind.com >>>> Description: >>>> The domain controller attempted to validate the credentials for an >>>> account. >>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>> Logon Account: administrator >>>> Source Workstation: SYTEUTIL >>>> Error Code: 0xc000006a >>>> ---------------------------------------------------- >>>> Then there is this error every 5 minutes, the ip listed is our >>>> second >>>> DC >>>> ---------------------------------------------------- >>>> Log Name: Security >>>> Source: Microsoft-Windows-Security-Auditing >>>> Date: 10/26/2009 3:32:21 PM >>>> Event ID: 4771 >>>> Task Category: Kerberos Authentication Service >>>> Level: Information >>>> Keywords: Audit Failure >>>> User: N/A >>>> Computer: AGRADC2.agraind.com >>>> Description: >>>> Kerberos pre-authentication failed. >>>> Account Information: >>>> Security ID: AGRA\Administrator >>>> Account Name: Administrator >>>> Service Information: >>>> Service Name: krbtgt/AGRA >>>> Network Information: >>>> Client Address: ::ffff:10.0.1.254 >>>> Client Port: 2010 >>>> Additional Information: >>>> Ticket Options: 0x40810010 >>>> Failure Code: 0x18 >>>> Pre-Authentication Type: 2 >>>> Certificate Information: >>>> Certificate Issuer Name: >>>> Certificate Serial Number: >>>> Certificate Thumbprint: >>>> Certificate information is only provided if a certificate was used >>>> for >>>> pre-authentication. >>>> Pre-authentication types, ticket options and failure codes are >>>> defined in RFC 4120. >>>> >>>> If the ticket was malformed or damaged during transit and could not >>>> be decrypted, then many fields in this event might not be present. >>>> --------------------------------------------------- >>>> >>>> Then there is this one that happens every 10 mins, the ip listed is >>>> our >>>> third DC >>>> --------------------------------------------------- >>>> Log Name: Security >>>> Source: Microsoft-Windows-Security-Auditing >>>> Date: 10/26/2009 3:30:06 PM >>>> Event ID: 4771 >>>> Task Category: Kerberos Authentication Service >>>> Level: Information >>>> Keywords: Audit Failure >>>> User: N/A >>>> Computer: AGRADC2.agraind.com >>>> Description: >>>> Kerberos pre-authentication failed. >>>> Account Information: >>>> Security ID: AGRA\Administrator >>>> Account Name: Administrator >>>> Service Information: >>>> Service Name: krbtgt/agra >>>> Network Information: >>>> Client Address: ::ffff:10.0.1.249 >>>> Client Port: 30051 >>>> Additional Information: >>>> Ticket Options: 0x40810010 >>>> Failure Code: 0x18 >>>> Pre-Authentication Type: 2 >>>> Certificate Information: >>>> Certificate Issuer Name: >>>> Certificate Serial Number: >>>> Certificate Thumbprint: >>>> Certificate information is only provided if a certificate was used >>>> for >>>> pre-authentication. >>>> Pre-authentication types, ticket options and failure codes are >>>> defined in RFC 4120. >>>> >>>> If the ticket was malformed or damaged during transit and could not >>>> be decrypted, then many fields in this event might not be present. >>>> --------------------------------------------------- >>>> >>>> Then there are two of these ever 10 minutes on our Main DC >>>> --------------------------------------------------- >>>> Log Name: Security >>>> Source: Microsoft-Windows-Security-Auditing >>>> Date: 10/26/2009 3:38:15 PM >>>> Event ID: 4769 >>>> Task Category: Kerberos Service Ticket Operations >>>> Level: Information >>>> Keywords: Audit Failure >>>> User: N/A >>>> Computer: AGRADC2.agraind.com >>>> Description: >>>> A Kerberos service ticket was requested. >>>> Account Information: >>>> Account Name: AGRADC2$@AGRAIND.COM >>>> Account Domain: AGRAIND.COM >>>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>>> Service Information: >>>> Service Name: krbtgt/AGRAIND.COM >>>> Service ID: NULL SID >>>> Network Information: >>>> Client Address: ::1 >>>> Client Port: 0 >>>> Additional Information: >>>> Ticket Options: 0x60810010 >>>> Ticket Encryption Type: 0xffffffff >>>> Failure Code: 0xe >>>> Transited Services: - >>>> This event is generated every time access is requested to a resource >>>> such as a computer or a Windows service. The service name indicates >>>> the resource to which access was requested. >>>> This event can be correlated with Windows logon events by comparing >>>> the Logon GUID fields in each event. The logon event occurs on the >>>> machine that was accessed, which is often a different machine than >>>> the domain controller which issued the service ticket. >>>> >>>> Ticket options, encryption types, and failure codes are defined in >>>> RFC 4120. --------------------------------------------------- >>>> >>>> Are all of these related to the two member servers having problems >>>> or is this somthing deeper. >>>> >>>> "Zachary" <zdundore(a)agraind.com> wrote in message >>>> news:uLJxJAmVKHA.220(a)TK2MSFTNGP02.phx.gbl... >>>>> Found one of the culprits. The Exchange service account for legacy >>>>> access was set to the domain admin. This is found in the system >>>>> manager>Administrative Groups and then right click your >>>>> administrative group and on the general tab you will see this >>>>> setting. I am still recieving this error yet from the exchange >>>>> server: Any ideas? >>>>> >>>>> Event Type: Failure Audit >>>>> Event Source: Security >>>>> Event Category: Logon/Logoff >>>>> Event ID: 529 >>>>> Date: 10/26/2009 >>>>> Time: 12:11:34 PM >>>>> User: NT AUTHORITY\SYSTEM >>>>> Computer: AGRAEXCH >>>>> Description: >>>>> Logon Failure: >>>>> Reason: Unknown user name or bad password >>>>> User Name: Administrator >>>>> Domain: AGRA >>>>> Logon Type: 3 >>>>> Logon Process: NtLmSsp >>>>> Authentication Package: NTLM >>>>> Workstation Name: AGRAEXCH >>>>> Caller User Name: - >>>>> Caller Domain: - >>>>> Caller Logon ID: - >>>>> Caller Process ID: - >>>>> Transited Services: - >>>>> Source Network Address: - >>>>> Source Port: - >>>>> For more information, see Help and Support Center at >>>>> http://go.microsoft.com/fwlink/events.asp. >>>>> "Zachary" <zdundore(a)agraind.com> wrote in message >>>>> news:OHVPB2lVKHA.1372(a)TK2MSFTNGP02.phx.gbl... >>>>>> Additional references i have found. These describe my situation >>>>>> also but >>>>>> they have no solution. >>>>>> http://www.eggheadcafe.com/software/aspnet/33326223/msexchangesa-l >>>>>> oc >>>>>> king-doma.aspx >>>>>> http://antionline.com/archive/index.php/t-272867.html >>>>>> "Zachary" <zdundore(a)agraind.com> wrote in message >>>>>> news:eJ$1QqlVKHA.1372(a)TK2MSFTNGP02.phx.gbl... >>>>>>> Cross posting this to an exchange group. >>>>>>> >>>>>>> "Zachary" <zdundore(a)agraind.com> wrote in message >>>>>>> news:ecI44ZlVKHA.2340(a)TK2MSFTNGP04.phx.gbl... >>>>>>>> I found this error. When i look at PID 4968 it is mad.exe which >>>>>>>> points to the MSExchangeSA service. I looked in the services >>>>>>>> MMC and that service is set to log on as Local System. Why >>>>>>>> would it be trying to use the domain admin account? >>>>>>>> >>>>>>>> Event Type: Failure Audit >>>>>>>> Event Source: Security >>>>>>>> Event Category: Logon/Logoff >>>>>>>> Event ID: 529 >>>>>>>> Date: 10/26/2009 >>>>>>>> Time: 11:02:01 AM >>>>>>>> User: NT AUTHORITY\SYSTEM >>>>>>>> Computer: EXCHANGE >>>>>>>> Description: >>>>>>>> Logon Failure: >>>>>>>> Reason: Unknown user name or bad password >>>>>>>> User Name: Administrator >>>>>>>> Domain: DOMAIN >>>>>>>> Logon Type: 7 >>>>>>>> Logon Process: Advapi >>>>>>>> Authentication Package: Negotiate >>>>>>>> Workstation Name: EXCHANGE >>>>>>>> Caller User Name: EXCHANGE$ >>>>>>>> Caller Domain: DOMAIN >>>>>>>> Caller Logon ID: (0x0,0x3E7) >>>>>>>> Caller Process ID: 4968 >>>>>>>> Transited Services: - >>>>>>>> Source Network Address: - >>>>>>>> Source Port: - >>>>>>>> For more information, see Help and Support Center at >>>>>>>> http://go.microsoft.com/fwlink/events.asp. >>>>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in >>>>>>>> message news:6cb2911d88a98cc246d902e505f(a)msnews.microsoft.com... >>>>>>>> >>>>>>>>> Hello Zachary, >>>>>>>>> >>>>>>>>> So you checked all DCs and servers, Exchange, ERP and SYTEUTIL >>>>>>>>> as listed in the event viewer entries? >>>>>>>>> >>>>>>>>> Also listed "0xc000006a" is bad password. >>>>>>>>> >>>>>>>>> Best regards >>>>>>>>> >>>>>>>>> Meinolf Weber >>>>>>>>> Disclaimer: This posting is provided "AS IS" with no >>>>>>>>> warranties, >>>>>>>>> and >>>>>>>>> confers no rights. >>>>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>>>> ** HELP us help YOU!!! >>>>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>>>> Ok, with that being the case, is there more detailed auditing >>>>>>>>>> i >>>>>>>>>> can >>>>>>>>>> turn on >>>>>>>>>> to find out what service or app is attempting to make these >>>>>>>>>> authentications? >>>>>>>>>> When i look in the services mmc i don't see any services using >>>>>>>>>> the >>>>>>>>>> administrator account for validation and the only in house app >>>>>>>>>> being >>>>>>>>>> used is >>>>>>>>>> our intranet site and that is clean. >>>>>>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in >>>>>>>>>> message >>>>>>>>>> news:6cb2911d88a38cc246a772b26ea(a)msnews.microsoft.com... >>>>>>>>>>> Hello Zachary, >>>>>>>>>>> >>>>>>>>>>> The domain administrator will automatically unlock, after >>>>>>>>>>> being locked out >>>>>>>>>>> >>>>>>>>>>> as soon as the correct password is used. >>>>>>>>>>> >>>>>>>>>>> http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-D >>>>>>>>>>> ef ault-d >>>>>>>>>>> omain-administrator-account-is-locked_21003F00_.aspx >>>>>>>>>>> >>>>>>>>>>> Best regards >>>>>>>>>>> >>>>>>>>>>> Meinolf Weber >>>>>>>>>>> Disclaimer: This posting is provided "AS IS" with no >>>>>>>>>>> warranties, and >>>>>>>>>>> confers no rights. >>>>>>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>>>>>> ** HELP us help YOU!!! >>>>>>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>>>>>> If that is the case, shouldn't the domain account be locked >>>>>>>>>>>> out? >>>>>>>>>>>> We >>>>>>>>>>>> have a lockout policy and if a service or app attempts to >>>>>>>>>>>> validate >>>>>>>>>>>> credentials that may time unsuccessfully it should lock the >>>>>>>>>>>> account >>>>>>>>>>>> out. >>>>>>>>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in >>>>>>>>>>>> message >>>>>>>>>>>> news:6cb2911d889b8cc24681c6128a8(a)msnews.microsoft.com... >>>>>>>>>>>>> Hello Zachary, >>>>>>>>>>>>> >>>>>>>>>>>>> Seems that there are still some services/applications >>>>>>>>>>>>> running that need the password change. See also: >>>>>>>>>>>>> http://chicagotech.net/netforums/viewtopic.php?t=4853 >>>>>>>>>>>>> >>>>>>>>>>>>> Best regards >>>>>>>>>>>>> >>>>>>>>>>>>> Meinolf Weber >>>>>>>>>>>>> Disclaimer: This posting is provided "AS IS" with no >>>>>>>>>>>>> warranties, >>>>>>>>>>>>> and >>>>>>>>>>>>> confers no rights. >>>>>>>>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>>>>>>>> ** HELP us help YOU!!! >>>>>>>>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>>>>>>>> Hi everyone, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Recently I have performed a password change on the default >>>>>>>>>>>>>> domain administrator account. Before the change was made >>>>>>>>>>>>>> last Friday I made sure to find all services and scheduled >>>>>>>>>>>>>> tasks in our network that were using the domain admin >>>>>>>>>>>>>> account and changed them to use their own service account. >>>>>>>>>>>>>> After the change all system functionality has been >>>>>>>>>>>>>> restored. >>>>>>>>>>>>>> (I.E. Exchange, Blackberry, our ERP system, everything is >>>>>>>>>>>>>> working) On top of that, the domain admin account isn't >>>>>>>>>>>>>> getting locked out. That should mean that there isn't >>>>>>>>>>>>>> anything with a stored password attempting to use the old >>>>>>>>>>>>>> password. With all that said, however, I am still >>>>>>>>>>>>>> receiving >>>>>>>>>>>>>> security failures in the event viewer on our primary DC. >>>>>>>>>>>>>> The failures are below. Any help understanding these on >>>>>>>>>>>>>> these would be appreciated. >>>>>>>>>>>>>> FYI - In doing research on the 4771 events I have found >>>>>>>>>>>>>> that the failure code 0x18 usually means a bad password. >>>>>>>>>>>>>> What I don't understand is that the two IP addresses >>>>>>>>>>>>>> listed with those events are our backup DCs. >>>>>>>>>>>>>> >>>>>>>>>>>>>> ---------------------------------------------------------- >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> >>>>>>>>>>>>>> Log Name: Security >>>>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>>>> Date: 10/26/2009 8:32:08 AM >>>>>>>>>>>>>> Event ID: 4771 >>>>>>>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>>>>>>> Level: Information >>>>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>>>> User: N/A >>>>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>>>> Description: >>>>>>>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>>>>>>> Account Information: >>>>>>>>>>>>>> Security ID: domain\Administrator >>>>>>>>>>>>>> Account Name: Administrator >>>>>>>>>>>>>> Service Information: >>>>>>>>>>>>>> Service Name: krbtgt/domain >>>>>>>>>>>>>> Network Information: >>>>>>>>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>>>>>>>> Client Port: 4240 >>>>>>>>>>>>>> Additional Information: >>>>>>>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>>>>>>> Failure Code: 0x18 >>>>>>>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>>>>>>> Certificate Information: >>>>>>>>>>>>>> Certificate Issuer Name: >>>>>>>>>>>>>> Certificate Serial Number: >>>>>>>>>>>>>> Certificate Thumbprint: >>>>>>>>>>>>>> Certificate information is only provided if a certificate >>>>>>>>>>>>>> was >>>>>>>>>>>>>> used >>>>>>>>>>>>>> for >>>>>>>>>>>>>> pre-authentication. >>>>>>>>>>>>>> Pre-authentication types, ticket options and failure codes >>>>>>>>>>>>>> are >>>>>>>>>>>>>> defined in RFC 4120. >>>>>>>>>>>>>> If the ticket was malformed or damaged during transit and >>>>>>>>>>>>>> could >>>>>>>>>>>>>> not be decrypted, then many fields in this event might not >>>>>>>>>>>>>> be >>>>>>>>>>>>>> present. >>>>>>>>>>>>>> ---------------------------------------------------------- >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> - >>>>>>>>>>>>>> Log Name: Security >>>>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>>>> Date: 10/26/2009 8:32:07 AM >>>>>>>>>>>>>> Event ID: 4771 >>>>>>>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>>>>>>> Level: Information >>>>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>>>> User: N/A >>>>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>>>> Description: >>>>>>>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>>>>>>> Account Information: >>>>>>>>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>>>>>>>> Account Name: Administrator >>>>>>>>>>>>>> Service Information: >>>>>>>>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>>>>>>>> Network Information: >>>>>>>>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>>>>>>>> Client Port: 4238 >>>>>>>>>>>>>> Additional Information: >>>>>>>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>>>>>>> Failure Code: 0x18 >>>>>>>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>>>>>>> Certificate Information: >>>>>>>>>>>>>> Certificate Issuer Name: >>>>>>>>>>>>>> Certificate Serial Number: >>>>>>>>>>>>>> Certificate Thumbprint: >>>>>>>>>>>>>> Certificate information is only provided if a certificate >>>>>>>>>>>>>> was >>>>>>>>>>>>>> used >>>>>>>>>>>>>> for >>>>>>>>>>>>>> pre-authentication. >>>>>>>>>>>>>> Pre-authentication types, ticket options and failure codes >>>>>>>>>>>>>> are >>>>>>>>>>>>>> defined in RFC 4120. >>>>>>>>>>>>>> If the ticket was malformed or damaged during transit and >>>>>>>>>>>>>> could >>>>>>>>>>>>>> not be decrypted, then many fields in this event might not >>>>>>>>>>>>>> be >>>>>>>>>>>>>> present. >>>>>>>>>>>>>> ---------------------------------------------------------- >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Log Name: Security >>>>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>>>> Date: 10/26/2009 8:32:01 AM >>>>>>>>>>>>>> Event ID: 4771 >>>>>>>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>>>>>>> Level: Information >>>>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>>>> User: N/A >>>>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>>>> Description: >>>>>>>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>>>>>>> Account Information: >>>>>>>>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>>>>>>>> Account Name: Administrator >>>>>>>>>>>>>> Service Information: >>>>>>>>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>>>>>>>> Network Information: >>>>>>>>>>>>>> Client Address: ::ffff:10.0.1.249 >>>>>>>>>>>>>> Client Port: 21106 >>>>>>>>>>>>>> Additional Information: >>>>>>>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>>>>>>> Failure Code: 0x18 >>>>>>>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>>>>>>> Certificate Information: >>>>>>>>>>>>>> Certificate Issuer Name: >>>>>>>>>>>>>> Certificate Serial Number: >>>>>>>>>>>>>> Certificate Thumbprint: >>>>>>>>>>>>>> Certificate information is only provided if a certificate >>>>>>>>>>>>>> was >>>>>>>>>>>>>> used >>>>>>>>>>>>>> for >>>>>>>>>>>>>> pre-authentication. >>>>>>>>>>>>>> Pre-authentication types, ticket options and failure codes >>>>>>>>>>>>>> are >>>>>>>>>>>>>> defined in RFC 4120. >>>>>>>>>>>>>> If the ticket was malformed or damaged during transit and >>>>>>>>>>>>>> could >>>>>>>>>>>>>> not be decrypted, then many fields in this event might not >>>>>>>>>>>>>> be >>>>>>>>>>>>>> present. >>>>>>>>>>>>>> ---------------------------------------------------------- >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Log Name: Security >>>>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>>>> Date: 10/26/2009 8:31:31 AM >>>>>>>>>>>>>> Event ID: 4776 >>>>>>>>>>>>>> Task Category: Credential Validation >>>>>>>>>>>>>> Level: Information >>>>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>>>> User: N/A >>>>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>>>> Description: >>>>>>>>>>>>>> The domain controller attempted to validate the >>>>>>>>>>>>>> credentials >>>>>>>>>>>>>> for >>>>>>>>>>>>>> an >>>>>>>>>>>>>> account. >>>>>>>>>>>>>> Authentication Package: >>>>>>>>>>>>>> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>>>>>>> Logon Account: Administrator >>>>>>>>>>>>>> Source Workstation: EXCHANGESERVER >>>>>>>>>>>>>> Error Code: 0xc000006a >>>>>>>>>>>>>> ---------------------------------------------------------- >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> - >>>>>>>>>>>>>> Log Name: Security >>>>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>>>>>>>> Event ID: 4776 >>>>>>>>>>>>>> Task Category: Credential Validation >>>>>>>>>>>>>> Level: Information >>>>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>>>> User: N/A >>>>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>>>> Description: >>>>>>>>>>>>>> The domain controller attempted to validate the >>>>>>>>>>>>>> credentials >>>>>>>>>>>>>> for >>>>>>>>>>>>>> an >>>>>>>>>>>>>> account. >>>>>>>>>>>>>> Authentication Package: >>>>>>>>>>>>>> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>>>>>>> Logon Account: administrator >>>>>>>>>>>>>> Source Workstation: ERPSERVER >>>>>>>>>>>>>> Error Code: 0xc000006a >>>>>>>>>>>>>> ---------------------------------------------------------- >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Log Name: Security >>>>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>>>>>>>> Event ID: 4776 >>>>>>>>>>>>>> Task Category: Credential Validation >>>>>>>>>>>>>> Level: Information >>>>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>>>> User: N/A >>>>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>>>> Description: >>>>>>>>>>>>>> The domain controller attempted to validate the >>>>>>>>>>>>>> credentials >>>>>>>>>>>>>> for >>>>>>>>>>>>>> an >>>>>>>>>>>>>> account. >>>>>>>>>>>>>> Authentication Package: >>>>>>>>>>>>>> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>>>>>>> Logon Account: administrator >>>>>>>>>>>>>> Source Workstation: SYTEUTIL >>>>>>>>>>>>>> Error Code: 0xc000006a >>>>>>>>>>>>>> ---------------------------------------------------------- >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Log Name: Security >>>>>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>>>>> Date: 10/26/2009 8:27:01 AM >>>>>>>>>>>>>> Event ID: 4769 >>>>>>>>>>>>>> Task Category: Kerberos Service Ticket Operations >>>>>>>>>>>>>> Level: Information >>>>>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>>>>> User: N/A >>>>>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>>>>> Description: >>>>>>>>>>>>>> A Kerberos service ticket was requested. >>>>>>>>>>>>>> Account Information: >>>>>>>>>>>>>> Account Name: DC$@DOMAIN.COM >>>>>>>>>>>>>> Account Domain: DOMAIN.COM >>>>>>>>>>>>>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>>>>>>>>>>>>> Service Information: >>>>>>>>>>>>>> Service Name: krbtgt/DOMAIN.COM >>>>>>>>>>>>>> Service ID: NULL SID >>>>>>>>>>>>>> Network Information: >>>>>>>>>>>>>> Client Address: ::1 >>>>>>>>>>>>>> Client Port: 0 >>>>>>>>>>>>>> Additional Information: >>>>>>>>>>>>>> Ticket Options: 0x60810010 >>>>>>>>>>>>>> Ticket Encryption Type: 0xffffffff >>>>>>>>>>>>>> Failure Code: 0xe >>>>>>>>>>>>>> Transited Services: - >>>>>>>>>>>>>> This event is generated every time access is requested to >>>>>>>>>>>>>> a >>>>>>>>>>>>>> resource >>>>>>>>>>>>>> such as a computer or a Windows service. The service name >>>>>>>>>>>>>> indicates >>>>>>>>>>>>>> the resource to which access was requested. >>>>>>>>>>>>>> This event can be correlated with Windows logon events by >>>>>>>>>>>>>> comparing >>>>>>>>>>>>>> the Logon GUID fields in each event. The logon event >>>>>>>>>>>>>> occurs >>>>>>>>>>>>>> on >>>>>>>>>>>>>> the >>>>>>>>>>>>>> machine that was accessed, which is often a different >>>>>>>>>>>>>> machine >>>>>>>>>>>>>> than >>>>>>>>>>>>>> the domain controller which issued the service ticket. >>>>>>>>>>>>>> Ticket options, encryption types, and failure codes are >>>>>>>>>>>>>> defined >>>>>>>>>>>>>> in >>>>>>>>>>>>>> RFC 4120. > > |