Security Failures after Password Change
in [Microsoft Exchange]
|
Prev: Old Exchange 2003 server no longer works since we removed and old DC
Next: 2007 exchange server address list service failed to respond
From: Zachary on 26 Oct 2009 12:37 Cross posting this to an exchange group. "Zachary" <zdundore(a)agraind.com> wrote in message news:ecI44ZlVKHA.2340(a)TK2MSFTNGP04.phx.gbl... >I found this error. When i look at PID 4968 it is mad.exe which points to >the MSExchangeSA service. I looked in the services MMC and that service is >set to log on as Local System. Why would it be trying to use the domain >admin account? > > Event Type: Failure Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 529 > Date: 10/26/2009 > Time: 11:02:01 AM > User: NT AUTHORITY\SYSTEM > Computer: EXCHANGE > Description: > Logon Failure: > Reason: Unknown user name or bad password > User Name: Administrator > Domain: DOMAIN > Logon Type: 7 > Logon Process: Advapi > Authentication Package: Negotiate > Workstation Name: EXCHANGE > Caller User Name: EXCHANGE$ > Caller Domain: DOMAIN > Caller Logon ID: (0x0,0x3E7) > Caller Process ID: 4968 > Transited Services: - > Source Network Address: - > Source Port: - > > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > > "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message > news:6cb2911d88a98cc246d902e505f(a)msnews.microsoft.com... >> Hello Zachary, >> >> So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed >> in the event viewer entries? >> >> Also listed "0xc000006a" is bad password. >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >> >>> Ok, with that being the case, is there more detailed auditing i can >>> turn on >>> to find out what service or app is attempting to make these >>> authentications? >>> When i look in the services mmc i don't see any services using the >>> administrator account for validation and the only in house app being >>> used is >>> our intranet site and that is clean. >>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>> news:6cb2911d88a38cc246a772b26ea(a)msnews.microsoft.com... >>>> Hello Zachary, >>>> >>>> The domain administrator will automatically unlock, after being >>>> locked out >>>> >>>> as soon as the correct password is used. >>>> >>>> http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Default-d >>>> omain-administrator-account-is-locked_21003F00_.aspx >>>> >>>> Best regards >>>> >>>> Meinolf Weber >>>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>>> confers no rights. >>>> ** Please do NOT email, only reply to Newsgroups >>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>> If that is the case, shouldn't the domain account be locked out? We >>>>> have a lockout policy and if a service or app attempts to validate >>>>> credentials that may time unsuccessfully it should lock the account >>>>> out. >>>>> >>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>>>> news:6cb2911d889b8cc24681c6128a8(a)msnews.microsoft.com... >>>>> >>>>>> Hello Zachary, >>>>>> >>>>>> Seems that there are still some services/applications running that >>>>>> need the password change. See also: >>>>>> http://chicagotech.net/netforums/viewtopic.php?t=4853 >>>>>> >>>>>> Best regards >>>>>> >>>>>> Meinolf Weber >>>>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>>>> and >>>>>> confers no rights. >>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>> Hi everyone, >>>>>>> >>>>>>> Recently I have performed a password change on the default domain >>>>>>> administrator account. Before the change was made last Friday I >>>>>>> made sure to find all services and scheduled tasks in our network >>>>>>> that were using the domain admin account and changed them to use >>>>>>> their own service account. After the change all system >>>>>>> functionality has been restored. (I.E. Exchange, Blackberry, our >>>>>>> ERP system, everything is working) On top of that, the domain >>>>>>> admin account isn't getting locked out. That should mean that >>>>>>> there isn't anything with a stored password attempting to use the >>>>>>> old password. With all that said, however, I am still receiving >>>>>>> security failures in the event viewer on our primary DC. The >>>>>>> failures are below. Any help understanding these on these would >>>>>>> be appreciated. >>>>>>> >>>>>>> FYI - In doing research on the 4771 events I have found that the >>>>>>> failure code 0x18 usually means a bad password. What I don't >>>>>>> understand is that the two IP addresses listed with those events >>>>>>> are our backup DCs. >>>>>>> >>>>>>> ------------------------------------------------------------ >>>>>>> >>>>>>> Log Name: Security >>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>> Date: 10/26/2009 8:32:08 AM >>>>>>> Event ID: 4771 >>>>>>> Task Category: Kerberos Authentication Service >>>>>>> Level: Information >>>>>>> Keywords: Audit Failure >>>>>>> User: N/A >>>>>>> Computer: DC.domain.com >>>>>>> Description: >>>>>>> Kerberos pre-authentication failed. >>>>>>> Account Information: >>>>>>> Security ID: domain\Administrator >>>>>>> Account Name: Administrator >>>>>>> Service Information: >>>>>>> Service Name: krbtgt/domain >>>>>>> Network Information: >>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>> Client Port: 4240 >>>>>>> Additional Information: >>>>>>> Ticket Options: 0x40810010 >>>>>>> Failure Code: 0x18 >>>>>>> Pre-Authentication Type: 2 >>>>>>> Certificate Information: >>>>>>> Certificate Issuer Name: >>>>>>> Certificate Serial Number: >>>>>>> Certificate Thumbprint: >>>>>>> Certificate information is only provided if a certificate was used >>>>>>> for >>>>>>> pre-authentication. >>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>> defined in RFC 4120. >>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>> not be decrypted, then many fields in this event might not be >>>>>>> present. >>>>>>> >>>>>>> ------------------------------------------------------------- >>>>>>> >>>>>>> Log Name: Security >>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>> Date: 10/26/2009 8:32:07 AM >>>>>>> Event ID: 4771 >>>>>>> Task Category: Kerberos Authentication Service >>>>>>> Level: Information >>>>>>> Keywords: Audit Failure >>>>>>> User: N/A >>>>>>> Computer: DC.domain.com >>>>>>> Description: >>>>>>> Kerberos pre-authentication failed. >>>>>>> Account Information: >>>>>>> Security ID: DOMAIN\Administrator >>>>>>> Account Name: Administrator >>>>>>> Service Information: >>>>>>> Service Name: krbtgt/DOMAIN >>>>>>> Network Information: >>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>> Client Port: 4238 >>>>>>> Additional Information: >>>>>>> Ticket Options: 0x40810010 >>>>>>> Failure Code: 0x18 >>>>>>> Pre-Authentication Type: 2 >>>>>>> Certificate Information: >>>>>>> Certificate Issuer Name: >>>>>>> Certificate Serial Number: >>>>>>> Certificate Thumbprint: >>>>>>> Certificate information is only provided if a certificate was used >>>>>>> for >>>>>>> pre-authentication. >>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>> defined in RFC 4120. >>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>> not be decrypted, then many fields in this event might not be >>>>>>> present. >>>>>>> >>>>>>> ------------------------------------------------------------ >>>>>>> >>>>>>> Log Name: Security >>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>> Date: 10/26/2009 8:32:01 AM >>>>>>> Event ID: 4771 >>>>>>> Task Category: Kerberos Authentication Service >>>>>>> Level: Information >>>>>>> Keywords: Audit Failure >>>>>>> User: N/A >>>>>>> Computer: DC.domain.com >>>>>>> Description: >>>>>>> Kerberos pre-authentication failed. >>>>>>> Account Information: >>>>>>> Security ID: DOMAIN\Administrator >>>>>>> Account Name: Administrator >>>>>>> Service Information: >>>>>>> Service Name: krbtgt/DOMAIN >>>>>>> Network Information: >>>>>>> Client Address: ::ffff:10.0.1.249 >>>>>>> Client Port: 21106 >>>>>>> Additional Information: >>>>>>> Ticket Options: 0x40810010 >>>>>>> Failure Code: 0x18 >>>>>>> Pre-Authentication Type: 2 >>>>>>> Certificate Information: >>>>>>> Certificate Issuer Name: >>>>>>> Certificate Serial Number: >>>>>>> Certificate Thumbprint: >>>>>>> Certificate information is only provided if a certificate was used >>>>>>> for >>>>>>> pre-authentication. >>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>> defined in RFC 4120. >>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>> not be decrypted, then many fields in this event might not be >>>>>>> present. >>>>>>> ------------------------------------------------------------ >>>>>>> >>>>>>> Log Name: Security >>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>> Date: 10/26/2009 8:31:31 AM >>>>>>> Event ID: 4776 >>>>>>> Task Category: Credential Validation >>>>>>> Level: Information >>>>>>> Keywords: Audit Failure >>>>>>> User: N/A >>>>>>> Computer: DC.domain.com >>>>>>> Description: >>>>>>> The domain controller attempted to validate the credentials for an >>>>>>> account. >>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>> Logon Account: Administrator >>>>>>> Source Workstation: EXCHANGESERVER >>>>>>> Error Code: 0xc000006a >>>>>>> ------------------------------------------------------------- >>>>>>> Log Name: Security >>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>> Event ID: 4776 >>>>>>> Task Category: Credential Validation >>>>>>> Level: Information >>>>>>> Keywords: Audit Failure >>>>>>> User: N/A >>>>>>> Computer: DC.domain.com >>>>>>> Description: >>>>>>> The domain controller attempted to validate the credentials for an >>>>>>> account. >>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>> Logon Account: administrator >>>>>>> Source Workstation: ERPSERVER >>>>>>> Error Code: 0xc000006a >>>>>>> ------------------------------------------------------------ >>>>>>> Log Name: Security >>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>> Event ID: 4776 >>>>>>> Task Category: Credential Validation >>>>>>> Level: Information >>>>>>> Keywords: Audit Failure >>>>>>> User: N/A >>>>>>> Computer: DC.domain.com >>>>>>> Description: >>>>>>> The domain controller attempted to validate the credentials for an >>>>>>> account. >>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>> Logon Account: administrator >>>>>>> Source Workstation: SYTEUTIL >>>>>>> Error Code: 0xc000006a >>>>>>> ------------------------------------------------------------ >>>>>>> Log Name: Security >>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>> Date: 10/26/2009 8:27:01 AM >>>>>>> Event ID: 4769 >>>>>>> Task Category: Kerberos Service Ticket Operations >>>>>>> Level: Information >>>>>>> Keywords: Audit Failure >>>>>>> User: N/A >>>>>>> Computer: DC.domain.com >>>>>>> Description: >>>>>>> A Kerberos service ticket was requested. >>>>>>> Account Information: >>>>>>> Account Name: DC$@DOMAIN.COM >>>>>>> Account Domain: DOMAIN.COM >>>>>>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>>>>>> Service Information: >>>>>>> Service Name: krbtgt/DOMAIN.COM >>>>>>> Service ID: NULL SID >>>>>>> Network Information: >>>>>>> Client Address: ::1 >>>>>>> Client Port: 0 >>>>>>> Additional Information: >>>>>>> Ticket Options: 0x60810010 >>>>>>> Ticket Encryption Type: 0xffffffff >>>>>>> Failure Code: 0xe >>>>>>> Transited Services: - >>>>>>> This event is generated every time access is requested to a >>>>>>> resource >>>>>>> such as a computer or a Windows service. The service name >>>>>>> indicates >>>>>>> the resource to which access was requested. >>>>>>> This event can be correlated with Windows logon events by >>>>>>> comparing >>>>>>> the Logon GUID fields in each event. The logon event occurs on >>>>>>> the >>>>>>> machine that was accessed, which is often a different machine than >>>>>>> the domain controller which issued the service ticket. >>>>>>> Ticket options, encryption types, and failure codes are defined in >>>>>>> RFC 4120. >>>>>>> >> >> > >
From: Zachary on 26 Oct 2009 12:58 Additional references i have found. These describe my situation also but they have no solution. http://www.eggheadcafe.com/software/aspnet/33326223/msexchangesa-locking-doma.aspx http://antionline.com/archive/index.php/t-272867.html "Zachary" <zdundore(a)agraind.com> wrote in message news:eJ$1QqlVKHA.1372(a)TK2MSFTNGP02.phx.gbl... > Cross posting this to an exchange group. > > "Zachary" <zdundore(a)agraind.com> wrote in message > news:ecI44ZlVKHA.2340(a)TK2MSFTNGP04.phx.gbl... >>I found this error. When i look at PID 4968 it is mad.exe which points to >>the MSExchangeSA service. I looked in the services MMC and that service >>is set to log on as Local System. Why would it be trying to use the >>domain admin account? >> >> Event Type: Failure Audit >> Event Source: Security >> Event Category: Logon/Logoff >> Event ID: 529 >> Date: 10/26/2009 >> Time: 11:02:01 AM >> User: NT AUTHORITY\SYSTEM >> Computer: EXCHANGE >> Description: >> Logon Failure: >> Reason: Unknown user name or bad password >> User Name: Administrator >> Domain: DOMAIN >> Logon Type: 7 >> Logon Process: Advapi >> Authentication Package: Negotiate >> Workstation Name: EXCHANGE >> Caller User Name: EXCHANGE$ >> Caller Domain: DOMAIN >> Caller Logon ID: (0x0,0x3E7) >> Caller Process ID: 4968 >> Transited Services: - >> Source Network Address: - >> Source Port: - >> >> >> For more information, see Help and Support Center at >> http://go.microsoft.com/fwlink/events.asp. >> >> >> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >> news:6cb2911d88a98cc246d902e505f(a)msnews.microsoft.com... >>> Hello Zachary, >>> >>> So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed >>> in the event viewer entries? >>> >>> Also listed "0xc000006a" is bad password. >>> >>> Best regards >>> >>> Meinolf Weber >>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>> confers no rights. >>> ** Please do NOT email, only reply to Newsgroups >>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>> >>>> Ok, with that being the case, is there more detailed auditing i can >>>> turn on >>>> to find out what service or app is attempting to make these >>>> authentications? >>>> When i look in the services mmc i don't see any services using the >>>> administrator account for validation and the only in house app being >>>> used is >>>> our intranet site and that is clean. >>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>>> news:6cb2911d88a38cc246a772b26ea(a)msnews.microsoft.com... >>>>> Hello Zachary, >>>>> >>>>> The domain administrator will automatically unlock, after being >>>>> locked out >>>>> >>>>> as soon as the correct password is used. >>>>> >>>>> http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Default-d >>>>> omain-administrator-account-is-locked_21003F00_.aspx >>>>> >>>>> Best regards >>>>> >>>>> Meinolf Weber >>>>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>>>> confers no rights. >>>>> ** Please do NOT email, only reply to Newsgroups >>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>> If that is the case, shouldn't the domain account be locked out? We >>>>>> have a lockout policy and if a service or app attempts to validate >>>>>> credentials that may time unsuccessfully it should lock the account >>>>>> out. >>>>>> >>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>>>>> news:6cb2911d889b8cc24681c6128a8(a)msnews.microsoft.com... >>>>>> >>>>>>> Hello Zachary, >>>>>>> >>>>>>> Seems that there are still some services/applications running that >>>>>>> need the password change. See also: >>>>>>> http://chicagotech.net/netforums/viewtopic.php?t=4853 >>>>>>> >>>>>>> Best regards >>>>>>> >>>>>>> Meinolf Weber >>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>>>>> and >>>>>>> confers no rights. >>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>> Hi everyone, >>>>>>>> >>>>>>>> Recently I have performed a password change on the default domain >>>>>>>> administrator account. Before the change was made last Friday I >>>>>>>> made sure to find all services and scheduled tasks in our network >>>>>>>> that were using the domain admin account and changed them to use >>>>>>>> their own service account. After the change all system >>>>>>>> functionality has been restored. (I.E. Exchange, Blackberry, our >>>>>>>> ERP system, everything is working) On top of that, the domain >>>>>>>> admin account isn't getting locked out. That should mean that >>>>>>>> there isn't anything with a stored password attempting to use the >>>>>>>> old password. With all that said, however, I am still receiving >>>>>>>> security failures in the event viewer on our primary DC. The >>>>>>>> failures are below. Any help understanding these on these would >>>>>>>> be appreciated. >>>>>>>> >>>>>>>> FYI - In doing research on the 4771 events I have found that the >>>>>>>> failure code 0x18 usually means a bad password. What I don't >>>>>>>> understand is that the two IP addresses listed with those events >>>>>>>> are our backup DCs. >>>>>>>> >>>>>>>> ------------------------------------------------------------ >>>>>>>> >>>>>>>> Log Name: Security >>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>> Date: 10/26/2009 8:32:08 AM >>>>>>>> Event ID: 4771 >>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>> Level: Information >>>>>>>> Keywords: Audit Failure >>>>>>>> User: N/A >>>>>>>> Computer: DC.domain.com >>>>>>>> Description: >>>>>>>> Kerberos pre-authentication failed. >>>>>>>> Account Information: >>>>>>>> Security ID: domain\Administrator >>>>>>>> Account Name: Administrator >>>>>>>> Service Information: >>>>>>>> Service Name: krbtgt/domain >>>>>>>> Network Information: >>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>> Client Port: 4240 >>>>>>>> Additional Information: >>>>>>>> Ticket Options: 0x40810010 >>>>>>>> Failure Code: 0x18 >>>>>>>> Pre-Authentication Type: 2 >>>>>>>> Certificate Information: >>>>>>>> Certificate Issuer Name: >>>>>>>> Certificate Serial Number: >>>>>>>> Certificate Thumbprint: >>>>>>>> Certificate information is only provided if a certificate was used >>>>>>>> for >>>>>>>> pre-authentication. >>>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>>> defined in RFC 4120. >>>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>>> not be decrypted, then many fields in this event might not be >>>>>>>> present. >>>>>>>> >>>>>>>> ------------------------------------------------------------- >>>>>>>> >>>>>>>> Log Name: Security >>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>> Date: 10/26/2009 8:32:07 AM >>>>>>>> Event ID: 4771 >>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>> Level: Information >>>>>>>> Keywords: Audit Failure >>>>>>>> User: N/A >>>>>>>> Computer: DC.domain.com >>>>>>>> Description: >>>>>>>> Kerberos pre-authentication failed. >>>>>>>> Account Information: >>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>> Account Name: Administrator >>>>>>>> Service Information: >>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>> Network Information: >>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>> Client Port: 4238 >>>>>>>> Additional Information: >>>>>>>> Ticket Options: 0x40810010 >>>>>>>> Failure Code: 0x18 >>>>>>>> Pre-Authentication Type: 2 >>>>>>>> Certificate Information: >>>>>>>> Certificate Issuer Name: >>>>>>>> Certificate Serial Number: >>>>>>>> Certificate Thumbprint: >>>>>>>> Certificate information is only provided if a certificate was used >>>>>>>> for >>>>>>>> pre-authentication. >>>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>>> defined in RFC 4120. >>>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>>> not be decrypted, then many fields in this event might not be >>>>>>>> present. >>>>>>>> >>>>>>>> ------------------------------------------------------------ >>>>>>>> >>>>>>>> Log Name: Security >>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>> Date: 10/26/2009 8:32:01 AM >>>>>>>> Event ID: 4771 >>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>> Level: Information >>>>>>>> Keywords: Audit Failure >>>>>>>> User: N/A >>>>>>>> Computer: DC.domain.com >>>>>>>> Description: >>>>>>>> Kerberos pre-authentication failed. >>>>>>>> Account Information: >>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>> Account Name: Administrator >>>>>>>> Service Information: >>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>> Network Information: >>>>>>>> Client Address: ::ffff:10.0.1.249 >>>>>>>> Client Port: 21106 >>>>>>>> Additional Information: >>>>>>>> Ticket Options: 0x40810010 >>>>>>>> Failure Code: 0x18 >>>>>>>> Pre-Authentication Type: 2 >>>>>>>> Certificate Information: >>>>>>>> Certificate Issuer Name: >>>>>>>> Certificate Serial Number: >>>>>>>> Certificate Thumbprint: >>>>>>>> Certificate information is only provided if a certificate was used >>>>>>>> for >>>>>>>> pre-authentication. >>>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>>> defined in RFC 4120. >>>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>>> not be decrypted, then many fields in this event might not be >>>>>>>> present. >>>>>>>> ------------------------------------------------------------ >>>>>>>> >>>>>>>> Log Name: Security >>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>> Date: 10/26/2009 8:31:31 AM >>>>>>>> Event ID: 4776 >>>>>>>> Task Category: Credential Validation >>>>>>>> Level: Information >>>>>>>> Keywords: Audit Failure >>>>>>>> User: N/A >>>>>>>> Computer: DC.domain.com >>>>>>>> Description: >>>>>>>> The domain controller attempted to validate the credentials for an >>>>>>>> account. >>>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>> Logon Account: Administrator >>>>>>>> Source Workstation: EXCHANGESERVER >>>>>>>> Error Code: 0xc000006a >>>>>>>> ------------------------------------------------------------- >>>>>>>> Log Name: Security >>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>> Event ID: 4776 >>>>>>>> Task Category: Credential Validation >>>>>>>> Level: Information >>>>>>>> Keywords: Audit Failure >>>>>>>> User: N/A >>>>>>>> Computer: DC.domain.com >>>>>>>> Description: >>>>>>>> The domain controller attempted to validate the credentials for an >>>>>>>> account. >>>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>> Logon Account: administrator >>>>>>>> Source Workstation: ERPSERVER >>>>>>>> Error Code: 0xc000006a >>>>>>>> ------------------------------------------------------------ >>>>>>>> Log Name: Security >>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>> Event ID: 4776 >>>>>>>> Task Category: Credential Validation >>>>>>>> Level: Information >>>>>>>> Keywords: Audit Failure >>>>>>>> User: N/A >>>>>>>> Computer: DC.domain.com >>>>>>>> Description: >>>>>>>> The domain controller attempted to validate the credentials for an >>>>>>>> account. >>>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>> Logon Account: administrator >>>>>>>> Source Workstation: SYTEUTIL >>>>>>>> Error Code: 0xc000006a >>>>>>>> ------------------------------------------------------------ >>>>>>>> Log Name: Security >>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>> Date: 10/26/2009 8:27:01 AM >>>>>>>> Event ID: 4769 >>>>>>>> Task Category: Kerberos Service Ticket Operations >>>>>>>> Level: Information >>>>>>>> Keywords: Audit Failure >>>>>>>> User: N/A >>>>>>>> Computer: DC.domain.com >>>>>>>> Description: >>>>>>>> A Kerberos service ticket was requested. >>>>>>>> Account Information: >>>>>>>> Account Name: DC$@DOMAIN.COM >>>>>>>> Account Domain: DOMAIN.COM >>>>>>>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>>>>>>> Service Information: >>>>>>>> Service Name: krbtgt/DOMAIN.COM >>>>>>>> Service ID: NULL SID >>>>>>>> Network Information: >>>>>>>> Client Address: ::1 >>>>>>>> Client Port: 0 >>>>>>>> Additional Information: >>>>>>>> Ticket Options: 0x60810010 >>>>>>>> Ticket Encryption Type: 0xffffffff >>>>>>>> Failure Code: 0xe >>>>>>>> Transited Services: - >>>>>>>> This event is generated every time access is requested to a >>>>>>>> resource >>>>>>>> such as a computer or a Windows service. The service name >>>>>>>> indicates >>>>>>>> the resource to which access was requested. >>>>>>>> This event can be correlated with Windows logon events by >>>>>>>> comparing >>>>>>>> the Logon GUID fields in each event. The logon event occurs on >>>>>>>> the >>>>>>>> machine that was accessed, which is often a different machine than >>>>>>>> the domain controller which issued the service ticket. >>>>>>>> Ticket options, encryption types, and failure codes are defined in >>>>>>>> RFC 4120. >>>>>>>> >>> >>> >> >> > >
From: Zachary on 26 Oct 2009 13:16 Found one of the culprits. The Exchange service account for legacy access was set to the domain admin. This is found in the system manager>Administrative Groups and then right click your administrative group and on the general tab you will see this setting. I am still recieving this error yet from the exchange server: Any ideas? Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 12:11:34 PM User: NT AUTHORITY\SYSTEM Computer: AGRAEXCH Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: AGRA Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: AGRAEXCH Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Zachary" <zdundore(a)agraind.com> wrote in message news:OHVPB2lVKHA.1372(a)TK2MSFTNGP02.phx.gbl... > Additional references i have found. These describe my situation also but > they have no solution. > http://www.eggheadcafe.com/software/aspnet/33326223/msexchangesa-locking-doma.aspx > http://antionline.com/archive/index.php/t-272867.html > > "Zachary" <zdundore(a)agraind.com> wrote in message > news:eJ$1QqlVKHA.1372(a)TK2MSFTNGP02.phx.gbl... >> Cross posting this to an exchange group. >> >> "Zachary" <zdundore(a)agraind.com> wrote in message >> news:ecI44ZlVKHA.2340(a)TK2MSFTNGP04.phx.gbl... >>>I found this error. When i look at PID 4968 it is mad.exe which points >>>to the MSExchangeSA service. I looked in the services MMC and that >>>service is set to log on as Local System. Why would it be trying to use >>>the domain admin account? >>> >>> Event Type: Failure Audit >>> Event Source: Security >>> Event Category: Logon/Logoff >>> Event ID: 529 >>> Date: 10/26/2009 >>> Time: 11:02:01 AM >>> User: NT AUTHORITY\SYSTEM >>> Computer: EXCHANGE >>> Description: >>> Logon Failure: >>> Reason: Unknown user name or bad password >>> User Name: Administrator >>> Domain: DOMAIN >>> Logon Type: 7 >>> Logon Process: Advapi >>> Authentication Package: Negotiate >>> Workstation Name: EXCHANGE >>> Caller User Name: EXCHANGE$ >>> Caller Domain: DOMAIN >>> Caller Logon ID: (0x0,0x3E7) >>> Caller Process ID: 4968 >>> Transited Services: - >>> Source Network Address: - >>> Source Port: - >>> >>> >>> For more information, see Help and Support Center at >>> http://go.microsoft.com/fwlink/events.asp. >>> >>> >>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>> news:6cb2911d88a98cc246d902e505f(a)msnews.microsoft.com... >>>> Hello Zachary, >>>> >>>> So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as >>>> listed in the event viewer entries? >>>> >>>> Also listed "0xc000006a" is bad password. >>>> >>>> Best regards >>>> >>>> Meinolf Weber >>>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>>> confers no rights. >>>> ** Please do NOT email, only reply to Newsgroups >>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>> >>>>> Ok, with that being the case, is there more detailed auditing i can >>>>> turn on >>>>> to find out what service or app is attempting to make these >>>>> authentications? >>>>> When i look in the services mmc i don't see any services using the >>>>> administrator account for validation and the only in house app being >>>>> used is >>>>> our intranet site and that is clean. >>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>>>> news:6cb2911d88a38cc246a772b26ea(a)msnews.microsoft.com... >>>>>> Hello Zachary, >>>>>> >>>>>> The domain administrator will automatically unlock, after being >>>>>> locked out >>>>>> >>>>>> as soon as the correct password is used. >>>>>> >>>>>> http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Default-d >>>>>> omain-administrator-account-is-locked_21003F00_.aspx >>>>>> >>>>>> Best regards >>>>>> >>>>>> Meinolf Weber >>>>>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>>>>> confers no rights. >>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>> If that is the case, shouldn't the domain account be locked out? We >>>>>>> have a lockout policy and if a service or app attempts to validate >>>>>>> credentials that may time unsuccessfully it should lock the account >>>>>>> out. >>>>>>> >>>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>>>>>> news:6cb2911d889b8cc24681c6128a8(a)msnews.microsoft.com... >>>>>>> >>>>>>>> Hello Zachary, >>>>>>>> >>>>>>>> Seems that there are still some services/applications running that >>>>>>>> need the password change. See also: >>>>>>>> http://chicagotech.net/netforums/viewtopic.php?t=4853 >>>>>>>> >>>>>>>> Best regards >>>>>>>> >>>>>>>> Meinolf Weber >>>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>>>>>> and >>>>>>>> confers no rights. >>>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>>> Hi everyone, >>>>>>>>> >>>>>>>>> Recently I have performed a password change on the default domain >>>>>>>>> administrator account. Before the change was made last Friday I >>>>>>>>> made sure to find all services and scheduled tasks in our network >>>>>>>>> that were using the domain admin account and changed them to use >>>>>>>>> their own service account. After the change all system >>>>>>>>> functionality has been restored. (I.E. Exchange, Blackberry, our >>>>>>>>> ERP system, everything is working) On top of that, the domain >>>>>>>>> admin account isn't getting locked out. That should mean that >>>>>>>>> there isn't anything with a stored password attempting to use the >>>>>>>>> old password. With all that said, however, I am still receiving >>>>>>>>> security failures in the event viewer on our primary DC. The >>>>>>>>> failures are below. Any help understanding these on these would >>>>>>>>> be appreciated. >>>>>>>>> >>>>>>>>> FYI - In doing research on the 4771 events I have found that the >>>>>>>>> failure code 0x18 usually means a bad password. What I don't >>>>>>>>> understand is that the two IP addresses listed with those events >>>>>>>>> are our backup DCs. >>>>>>>>> >>>>>>>>> ------------------------------------------------------------ >>>>>>>>> >>>>>>>>> Log Name: Security >>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>> Date: 10/26/2009 8:32:08 AM >>>>>>>>> Event ID: 4771 >>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>> Level: Information >>>>>>>>> Keywords: Audit Failure >>>>>>>>> User: N/A >>>>>>>>> Computer: DC.domain.com >>>>>>>>> Description: >>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>> Account Information: >>>>>>>>> Security ID: domain\Administrator >>>>>>>>> Account Name: Administrator >>>>>>>>> Service Information: >>>>>>>>> Service Name: krbtgt/domain >>>>>>>>> Network Information: >>>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>>> Client Port: 4240 >>>>>>>>> Additional Information: >>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>> Failure Code: 0x18 >>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>> Certificate Information: >>>>>>>>> Certificate Issuer Name: >>>>>>>>> Certificate Serial Number: >>>>>>>>> Certificate Thumbprint: >>>>>>>>> Certificate information is only provided if a certificate was used >>>>>>>>> for >>>>>>>>> pre-authentication. >>>>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>>>> defined in RFC 4120. >>>>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>>>> not be decrypted, then many fields in this event might not be >>>>>>>>> present. >>>>>>>>> >>>>>>>>> ------------------------------------------------------------- >>>>>>>>> >>>>>>>>> Log Name: Security >>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>> Date: 10/26/2009 8:32:07 AM >>>>>>>>> Event ID: 4771 >>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>> Level: Information >>>>>>>>> Keywords: Audit Failure >>>>>>>>> User: N/A >>>>>>>>> Computer: DC.domain.com >>>>>>>>> Description: >>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>> Account Information: >>>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>>> Account Name: Administrator >>>>>>>>> Service Information: >>>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>>> Network Information: >>>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>>> Client Port: 4238 >>>>>>>>> Additional Information: >>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>> Failure Code: 0x18 >>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>> Certificate Information: >>>>>>>>> Certificate Issuer Name: >>>>>>>>> Certificate Serial Number: >>>>>>>>> Certificate Thumbprint: >>>>>>>>> Certificate information is only provided if a certificate was used >>>>>>>>> for >>>>>>>>> pre-authentication. >>>>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>>>> defined in RFC 4120. >>>>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>>>> not be decrypted, then many fields in this event might not be >>>>>>>>> present. >>>>>>>>> >>>>>>>>> ------------------------------------------------------------ >>>>>>>>> >>>>>>>>> Log Name: Security >>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>> Date: 10/26/2009 8:32:01 AM >>>>>>>>> Event ID: 4771 >>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>> Level: Information >>>>>>>>> Keywords: Audit Failure >>>>>>>>> User: N/A >>>>>>>>> Computer: DC.domain.com >>>>>>>>> Description: >>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>> Account Information: >>>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>>> Account Name: Administrator >>>>>>>>> Service Information: >>>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>>> Network Information: >>>>>>>>> Client Address: ::ffff:10.0.1.249 >>>>>>>>> Client Port: 21106 >>>>>>>>> Additional Information: >>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>> Failure Code: 0x18 >>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>> Certificate Information: >>>>>>>>> Certificate Issuer Name: >>>>>>>>> Certificate Serial Number: >>>>>>>>> Certificate Thumbprint: >>>>>>>>> Certificate information is only provided if a certificate was used >>>>>>>>> for >>>>>>>>> pre-authentication. >>>>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>>>> defined in RFC 4120. >>>>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>>>> not be decrypted, then many fields in this event might not be >>>>>>>>> present. >>>>>>>>> ------------------------------------------------------------ >>>>>>>>> >>>>>>>>> Log Name: Security >>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>> Date: 10/26/2009 8:31:31 AM >>>>>>>>> Event ID: 4776 >>>>>>>>> Task Category: Credential Validation >>>>>>>>> Level: Information >>>>>>>>> Keywords: Audit Failure >>>>>>>>> User: N/A >>>>>>>>> Computer: DC.domain.com >>>>>>>>> Description: >>>>>>>>> The domain controller attempted to validate the credentials for an >>>>>>>>> account. >>>>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>> Logon Account: Administrator >>>>>>>>> Source Workstation: EXCHANGESERVER >>>>>>>>> Error Code: 0xc000006a >>>>>>>>> ------------------------------------------------------------- >>>>>>>>> Log Name: Security >>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>>> Event ID: 4776 >>>>>>>>> Task Category: Credential Validation >>>>>>>>> Level: Information >>>>>>>>> Keywords: Audit Failure >>>>>>>>> User: N/A >>>>>>>>> Computer: DC.domain.com >>>>>>>>> Description: >>>>>>>>> The domain controller attempted to validate the credentials for an >>>>>>>>> account. >>>>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>> Logon Account: administrator >>>>>>>>> Source Workstation: ERPSERVER >>>>>>>>> Error Code: 0xc000006a >>>>>>>>> ------------------------------------------------------------ >>>>>>>>> Log Name: Security >>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>>> Event ID: 4776 >>>>>>>>> Task Category: Credential Validation >>>>>>>>> Level: Information >>>>>>>>> Keywords: Audit Failure >>>>>>>>> User: N/A >>>>>>>>> Computer: DC.domain.com >>>>>>>>> Description: >>>>>>>>> The domain controller attempted to validate the credentials for an >>>>>>>>> account. >>>>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>> Logon Account: administrator >>>>>>>>> Source Workstation: SYTEUTIL >>>>>>>>> Error Code: 0xc000006a >>>>>>>>> ------------------------------------------------------------ >>>>>>>>> Log Name: Security >>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>> Date: 10/26/2009 8:27:01 AM >>>>>>>>> Event ID: 4769 >>>>>>>>> Task Category: Kerberos Service Ticket Operations >>>>>>>>> Level: Information >>>>>>>>> Keywords: Audit Failure >>>>>>>>> User: N/A >>>>>>>>> Computer: DC.domain.com >>>>>>>>> Description: >>>>>>>>> A Kerberos service ticket was requested. >>>>>>>>> Account Information: >>>>>>>>> Account Name: DC$@DOMAIN.COM >>>>>>>>> Account Domain: DOMAIN.COM >>>>>>>>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>>>>>>>> Service Information: >>>>>>>>> Service Name: krbtgt/DOMAIN.COM >>>>>>>>> Service ID: NULL SID >>>>>>>>> Network Information: >>>>>>>>> Client Address: ::1 >>>>>>>>> Client Port: 0 >>>>>>>>> Additional Information: >>>>>>>>> Ticket Options: 0x60810010 >>>>>>>>> Ticket Encryption Type: 0xffffffff >>>>>>>>> Failure Code: 0xe >>>>>>>>> Transited Services: - >>>>>>>>> This event is generated every time access is requested to a >>>>>>>>> resource >>>>>>>>> such as a computer or a Windows service. The service name >>>>>>>>> indicates >>>>>>>>> the resource to which access was requested. >>>>>>>>> This event can be correlated with Windows logon events by >>>>>>>>> comparing >>>>>>>>> the Logon GUID fields in each event. The logon event occurs on >>>>>>>>> the >>>>>>>>> machine that was accessed, which is often a different machine than >>>>>>>>> the domain controller which issued the service ticket. >>>>>>>>> Ticket options, encryption types, and failure codes are defined in >>>>>>>>> RFC 4120. >>>>>>>>> >>>> >>>> >>> >>> >> >> > >
From: Zachary on 26 Oct 2009 16:58 Here is a status update. My exchange server is still throwing this error and every time it does it coralates to the next error that show up on our main DC. ----------------------------------------------------- Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 3:36:37 PM User: NT AUTHORITY\SYSTEM Computer: AGRAEXCH Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: AGRA Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: AGRAEXCH Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port: - ---------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:36:37 PM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: AGRAEXCH Error Code: 0xc000006a --------------------------------------------------- Then the Syteutil server issues this error every 10 minutes and PID 4704 is w3wp.exe. This error coralates to the second error from our DC. --------------------------------------------------- Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 3:40:07 PM User: NT AUTHORITY\SYSTEM Computer: SYTEUTIL Description: Logon Failure: Reason: Unknown user name or bad password User Name: administrator Domain: agra Logon Type: 3 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: SYTEUTIL Caller User Name: NETWORK SERVICE Caller Domain: NT AUTHORITY Caller Logon ID: (0x0,0x3E4) Caller Process ID: 4704 Transited Services: - Source Network Address: - Source Port: - ---------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:40:07 PM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ---------------------------------------------------- Then there is this error every 5 minutes, the ip listed is our second DC ---------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:32:21 PM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: Kerberos pre-authentication failed. Account Information: Security ID: AGRA\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/AGRA Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 2010 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. --------------------------------------------------- Then there is this one that happens every 10 mins, the ip listed is our third DC --------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:30:06 PM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: Kerberos pre-authentication failed. Account Information: Security ID: AGRA\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/agra Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 30051 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. --------------------------------------------------- Then there are two of these ever 10 minutes on our Main DC --------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 3:38:15 PM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: AGRADC2.agraind.com Description: A Kerberos service ticket was requested. Account Information: Account Name: AGRADC2$@AGRAIND.COM Account Domain: AGRAIND.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/AGRAIND.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. --------------------------------------------------- Are all of these related to the two member servers having problems or is this somthing deeper. "Zachary" <zdundore(a)agraind.com> wrote in message news:uLJxJAmVKHA.220(a)TK2MSFTNGP02.phx.gbl... > Found one of the culprits. The Exchange service account for legacy access > was set to the domain admin. This is found in the system > manager>Administrative Groups and then right click your administrative > group and on the general tab you will see this setting. I am still > recieving this error yet from the exchange server: Any ideas? > > Event Type: Failure Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 529 > Date: 10/26/2009 > Time: 12:11:34 PM > User: NT AUTHORITY\SYSTEM > Computer: AGRAEXCH > Description: > Logon Failure: > Reason: Unknown user name or bad password > User Name: Administrator > Domain: AGRA > Logon Type: 3 > Logon Process: NtLmSsp > Authentication Package: NTLM > Workstation Name: AGRAEXCH > Caller User Name: - > Caller Domain: - > Caller Logon ID: - > Caller Process ID: - > Transited Services: - > Source Network Address: - > Source Port: - > > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > "Zachary" <zdundore(a)agraind.com> wrote in message > news:OHVPB2lVKHA.1372(a)TK2MSFTNGP02.phx.gbl... >> Additional references i have found. These describe my situation also but >> they have no solution. >> http://www.eggheadcafe.com/software/aspnet/33326223/msexchangesa-locking-doma.aspx >> http://antionline.com/archive/index.php/t-272867.html >> >> "Zachary" <zdundore(a)agraind.com> wrote in message >> news:eJ$1QqlVKHA.1372(a)TK2MSFTNGP02.phx.gbl... >>> Cross posting this to an exchange group. >>> >>> "Zachary" <zdundore(a)agraind.com> wrote in message >>> news:ecI44ZlVKHA.2340(a)TK2MSFTNGP04.phx.gbl... >>>>I found this error. When i look at PID 4968 it is mad.exe which points >>>>to the MSExchangeSA service. I looked in the services MMC and that >>>>service is set to log on as Local System. Why would it be trying to use >>>>the domain admin account? >>>> >>>> Event Type: Failure Audit >>>> Event Source: Security >>>> Event Category: Logon/Logoff >>>> Event ID: 529 >>>> Date: 10/26/2009 >>>> Time: 11:02:01 AM >>>> User: NT AUTHORITY\SYSTEM >>>> Computer: EXCHANGE >>>> Description: >>>> Logon Failure: >>>> Reason: Unknown user name or bad password >>>> User Name: Administrator >>>> Domain: DOMAIN >>>> Logon Type: 7 >>>> Logon Process: Advapi >>>> Authentication Package: Negotiate >>>> Workstation Name: EXCHANGE >>>> Caller User Name: EXCHANGE$ >>>> Caller Domain: DOMAIN >>>> Caller Logon ID: (0x0,0x3E7) >>>> Caller Process ID: 4968 >>>> Transited Services: - >>>> Source Network Address: - >>>> Source Port: - >>>> >>>> >>>> For more information, see Help and Support Center at >>>> http://go.microsoft.com/fwlink/events.asp. >>>> >>>> >>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>>> news:6cb2911d88a98cc246d902e505f(a)msnews.microsoft.com... >>>>> Hello Zachary, >>>>> >>>>> So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as >>>>> listed in the event viewer entries? >>>>> >>>>> Also listed "0xc000006a" is bad password. >>>>> >>>>> Best regards >>>>> >>>>> Meinolf Weber >>>>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>>>> confers no rights. >>>>> ** Please do NOT email, only reply to Newsgroups >>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>> >>>>>> Ok, with that being the case, is there more detailed auditing i can >>>>>> turn on >>>>>> to find out what service or app is attempting to make these >>>>>> authentications? >>>>>> When i look in the services mmc i don't see any services using the >>>>>> administrator account for validation and the only in house app being >>>>>> used is >>>>>> our intranet site and that is clean. >>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>>>>> news:6cb2911d88a38cc246a772b26ea(a)msnews.microsoft.com... >>>>>>> Hello Zachary, >>>>>>> >>>>>>> The domain administrator will automatically unlock, after being >>>>>>> locked out >>>>>>> >>>>>>> as soon as the correct password is used. >>>>>>> >>>>>>> http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Default-d >>>>>>> omain-administrator-account-is-locked_21003F00_.aspx >>>>>>> >>>>>>> Best regards >>>>>>> >>>>>>> Meinolf Weber >>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>>>>>> confers no rights. >>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>> If that is the case, shouldn't the domain account be locked out? >>>>>>>> We >>>>>>>> have a lockout policy and if a service or app attempts to validate >>>>>>>> credentials that may time unsuccessfully it should lock the account >>>>>>>> out. >>>>>>>> >>>>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>>>>>>> news:6cb2911d889b8cc24681c6128a8(a)msnews.microsoft.com... >>>>>>>> >>>>>>>>> Hello Zachary, >>>>>>>>> >>>>>>>>> Seems that there are still some services/applications running that >>>>>>>>> need the password change. See also: >>>>>>>>> http://chicagotech.net/netforums/viewtopic.php?t=4853 >>>>>>>>> >>>>>>>>> Best regards >>>>>>>>> >>>>>>>>> Meinolf Weber >>>>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>>>>>>> and >>>>>>>>> confers no rights. >>>>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>>>> Hi everyone, >>>>>>>>>> >>>>>>>>>> Recently I have performed a password change on the default domain >>>>>>>>>> administrator account. Before the change was made last Friday I >>>>>>>>>> made sure to find all services and scheduled tasks in our network >>>>>>>>>> that were using the domain admin account and changed them to use >>>>>>>>>> their own service account. After the change all system >>>>>>>>>> functionality has been restored. (I.E. Exchange, Blackberry, our >>>>>>>>>> ERP system, everything is working) On top of that, the domain >>>>>>>>>> admin account isn't getting locked out. That should mean that >>>>>>>>>> there isn't anything with a stored password attempting to use the >>>>>>>>>> old password. With all that said, however, I am still receiving >>>>>>>>>> security failures in the event viewer on our primary DC. The >>>>>>>>>> failures are below. Any help understanding these on these would >>>>>>>>>> be appreciated. >>>>>>>>>> >>>>>>>>>> FYI - In doing research on the 4771 events I have found that the >>>>>>>>>> failure code 0x18 usually means a bad password. What I don't >>>>>>>>>> understand is that the two IP addresses listed with those events >>>>>>>>>> are our backup DCs. >>>>>>>>>> >>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>> >>>>>>>>>> Log Name: Security >>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>> Date: 10/26/2009 8:32:08 AM >>>>>>>>>> Event ID: 4771 >>>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>>> Level: Information >>>>>>>>>> Keywords: Audit Failure >>>>>>>>>> User: N/A >>>>>>>>>> Computer: DC.domain.com >>>>>>>>>> Description: >>>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>>> Account Information: >>>>>>>>>> Security ID: domain\Administrator >>>>>>>>>> Account Name: Administrator >>>>>>>>>> Service Information: >>>>>>>>>> Service Name: krbtgt/domain >>>>>>>>>> Network Information: >>>>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>>>> Client Port: 4240 >>>>>>>>>> Additional Information: >>>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>>> Failure Code: 0x18 >>>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>>> Certificate Information: >>>>>>>>>> Certificate Issuer Name: >>>>>>>>>> Certificate Serial Number: >>>>>>>>>> Certificate Thumbprint: >>>>>>>>>> Certificate information is only provided if a certificate was >>>>>>>>>> used >>>>>>>>>> for >>>>>>>>>> pre-authentication. >>>>>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>>>>> defined in RFC 4120. >>>>>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>>>>> not be decrypted, then many fields in this event might not be >>>>>>>>>> present. >>>>>>>>>> >>>>>>>>>> ------------------------------------------------------------- >>>>>>>>>> >>>>>>>>>> Log Name: Security >>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>> Date: 10/26/2009 8:32:07 AM >>>>>>>>>> Event ID: 4771 >>>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>>> Level: Information >>>>>>>>>> Keywords: Audit Failure >>>>>>>>>> User: N/A >>>>>>>>>> Computer: DC.domain.com >>>>>>>>>> Description: >>>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>>> Account Information: >>>>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>>>> Account Name: Administrator >>>>>>>>>> Service Information: >>>>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>>>> Network Information: >>>>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>>>> Client Port: 4238 >>>>>>>>>> Additional Information: >>>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>>> Failure Code: 0x18 >>>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>>> Certificate Information: >>>>>>>>>> Certificate Issuer Name: >>>>>>>>>> Certificate Serial Number: >>>>>>>>>> Certificate Thumbprint: >>>>>>>>>> Certificate information is only provided if a certificate was >>>>>>>>>> used >>>>>>>>>> for >>>>>>>>>> pre-authentication. >>>>>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>>>>> defined in RFC 4120. >>>>>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>>>>> not be decrypted, then many fields in this event might not be >>>>>>>>>> present. >>>>>>>>>> >>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>> >>>>>>>>>> Log Name: Security >>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>> Date: 10/26/2009 8:32:01 AM >>>>>>>>>> Event ID: 4771 >>>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>>> Level: Information >>>>>>>>>> Keywords: Audit Failure >>>>>>>>>> User: N/A >>>>>>>>>> Computer: DC.domain.com >>>>>>>>>> Description: >>>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>>> Account Information: >>>>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>>>> Account Name: Administrator >>>>>>>>>> Service Information: >>>>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>>>> Network Information: >>>>>>>>>> Client Address: ::ffff:10.0.1.249 >>>>>>>>>> Client Port: 21106 >>>>>>>>>> Additional Information: >>>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>>> Failure Code: 0x18 >>>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>>> Certificate Information: >>>>>>>>>> Certificate Issuer Name: >>>>>>>>>> Certificate Serial Number: >>>>>>>>>> Certificate Thumbprint: >>>>>>>>>> Certificate information is only provided if a certificate was >>>>>>>>>> used >>>>>>>>>> for >>>>>>>>>> pre-authentication. >>>>>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>>>>> defined in RFC 4120. >>>>>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>>>>> not be decrypted, then many fields in this event might not be >>>>>>>>>> present. >>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>> >>>>>>>>>> Log Name: Security >>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>> Date: 10/26/2009 8:31:31 AM >>>>>>>>>> Event ID: 4776 >>>>>>>>>> Task Category: Credential Validation >>>>>>>>>> Level: Information >>>>>>>>>> Keywords: Audit Failure >>>>>>>>>> User: N/A >>>>>>>>>> Computer: DC.domain.com >>>>>>>>>> Description: >>>>>>>>>> The domain controller attempted to validate the credentials for >>>>>>>>>> an >>>>>>>>>> account. >>>>>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>>> Logon Account: Administrator >>>>>>>>>> Source Workstation: EXCHANGESERVER >>>>>>>>>> Error Code: 0xc000006a >>>>>>>>>> ------------------------------------------------------------- >>>>>>>>>> Log Name: Security >>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>>>> Event ID: 4776 >>>>>>>>>> Task Category: Credential Validation >>>>>>>>>> Level: Information >>>>>>>>>> Keywords: Audit Failure >>>>>>>>>> User: N/A >>>>>>>>>> Computer: DC.domain.com >>>>>>>>>> Description: >>>>>>>>>> The domain controller attempted to validate the credentials for >>>>>>>>>> an >>>>>>>>>> account. >>>>>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>>> Logon Account: administrator >>>>>>>>>> Source Workstation: ERPSERVER >>>>>>>>>> Error Code: 0xc000006a >>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>> Log Name: Security >>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>>>> Event ID: 4776 >>>>>>>>>> Task Category: Credential Validation >>>>>>>>>> Level: Information >>>>>>>>>> Keywords: Audit Failure >>>>>>>>>> User: N/A >>>>>>>>>> Computer: DC.domain.com >>>>>>>>>> Description: >>>>>>>>>> The domain controller attempted to validate the credentials for >>>>>>>>>> an >>>>>>>>>> account. >>>>>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>>> Logon Account: administrator >>>>>>>>>> Source Workstation: SYTEUTIL >>>>>>>>>> Error Code: 0xc000006a >>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>> Log Name: Security >>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>> Date: 10/26/2009 8:27:01 AM >>>>>>>>>> Event ID: 4769 >>>>>>>>>> Task Category: Kerberos Service Ticket Operations >>>>>>>>>> Level: Information >>>>>>>>>> Keywords: Audit Failure >>>>>>>>>> User: N/A >>>>>>>>>> Computer: DC.domain.com >>>>>>>>>> Description: >>>>>>>>>> A Kerberos service ticket was requested. >>>>>>>>>> Account Information: >>>>>>>>>> Account Name: DC$@DOMAIN.COM >>>>>>>>>> Account Domain: DOMAIN.COM >>>>>>>>>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>>>>>>>>> Service Information: >>>>>>>>>> Service Name: krbtgt/DOMAIN.COM >>>>>>>>>> Service ID: NULL SID >>>>>>>>>> Network Information: >>>>>>>>>> Client Address: ::1 >>>>>>>>>> Client Port: 0 >>>>>>>>>> Additional Information: >>>>>>>>>> Ticket Options: 0x60810010 >>>>>>>>>> Ticket Encryption Type: 0xffffffff >>>>>>>>>> Failure Code: 0xe >>>>>>>>>> Transited Services: - >>>>>>>>>> This event is generated every time access is requested to a >>>>>>>>>> resource >>>>>>>>>> such as a computer or a Windows service. The service name >>>>>>>>>> indicates >>>>>>>>>> the resource to which access was requested. >>>>>>>>>> This event can be correlated with Windows logon events by >>>>>>>>>> comparing >>>>>>>>>> the Logon GUID fields in each event. The logon event occurs on >>>>>>>>>> the >>>>>>>>>> machine that was accessed, which is often a different machine >>>>>>>>>> than >>>>>>>>>> the domain controller which issued the service ticket. >>>>>>>>>> Ticket options, encryption types, and failure codes are defined >>>>>>>>>> in >>>>>>>>>> RFC 4120. >>>>>>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >
From: Meinolf Weber [MVP-DS] on 29 Oct 2009 13:39
Hello Zachary, Sorry for being late. According to the ip addresses listed you use IPv6 and IPv4 together on some machines? Are the time settings/time zones the same on all machines? Are any of the machines restored after a crash? Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > Here is a status update. My exchange server is still throwing this > error > and every time it does it coralates to the next error that show up on > our > main DC. > ----------------------------------------------------- > Event Type: Failure Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 529 > Date: 10/26/2009 > Time: 3:36:37 PM > User: NT AUTHORITY\SYSTEM > Computer: AGRAEXCH > Description: > Logon Failure: > Reason: Unknown user name or bad password > User Name: Administrator > Domain: AGRA > Logon Type: 3 > Logon Process: NtLmSsp > Authentication Package: NTLM > Workstation Name: AGRAEXCH > Caller User Name: - > Caller Domain: - > Caller Logon ID: - > Caller Process ID: - > Transited Services: - > Source Network Address: - > Source Port: - > ---------------------------------------------------- > Log Name: Security > Source: Microsoft-Windows-Security-Auditing > Date: 10/26/2009 3:36:37 PM > Event ID: 4776 > Task Category: Credential Validation > Level: Information > Keywords: Audit Failure > User: N/A > Computer: AGRADC2.agraind.com > Description: > The domain controller attempted to validate the credentials for an > account. > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Logon Account: Administrator > Source Workstation: AGRAEXCH > Error Code: 0xc000006a > --------------------------------------------------- > Then the Syteutil server issues this error every 10 minutes and PID > 4704 is > w3wp.exe. This error coralates to the second error from our DC. > --------------------------------------------------- > Event Type: Failure Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 529 > Date: 10/26/2009 > Time: 3:40:07 PM > User: NT AUTHORITY\SYSTEM > Computer: SYTEUTIL > Description: > Logon Failure: > Reason: Unknown user name or bad password > User Name: administrator > Domain: agra > Logon Type: 3 > Logon Process: Advapi > Authentication Package: Negotiate > Workstation Name: SYTEUTIL > Caller User Name: NETWORK SERVICE > Caller Domain: NT AUTHORITY > Caller Logon ID: (0x0,0x3E4) > Caller Process ID: 4704 > Transited Services: - > Source Network Address: - > Source Port: - > ---------------------------------------------------- > Log Name: Security > Source: Microsoft-Windows-Security-Auditing > Date: 10/26/2009 3:40:07 PM > Event ID: 4776 > Task Category: Credential Validation > Level: Information > Keywords: Audit Failure > User: N/A > Computer: AGRADC2.agraind.com > Description: > The domain controller attempted to validate the credentials for an > account. > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Logon Account: administrator > Source Workstation: SYTEUTIL > Error Code: 0xc000006a > ---------------------------------------------------- > Then there is this error every 5 minutes, the ip listed is our second > DC > ---------------------------------------------------- > Log Name: Security > Source: Microsoft-Windows-Security-Auditing > Date: 10/26/2009 3:32:21 PM > Event ID: 4771 > Task Category: Kerberos Authentication Service > Level: Information > Keywords: Audit Failure > User: N/A > Computer: AGRADC2.agraind.com > Description: > Kerberos pre-authentication failed. > Account Information: > Security ID: AGRA\Administrator > Account Name: Administrator > Service Information: > Service Name: krbtgt/AGRA > Network Information: > Client Address: ::ffff:10.0.1.254 > Client Port: 2010 > Additional Information: > Ticket Options: 0x40810010 > Failure Code: 0x18 > Pre-Authentication Type: 2 > Certificate Information: > Certificate Issuer Name: > Certificate Serial Number: > Certificate Thumbprint: > Certificate information is only provided if a certificate was used for > pre-authentication. > > Pre-authentication types, ticket options and failure codes are defined > in RFC 4120. > > If the ticket was malformed or damaged during transit and could not be > decrypted, then many fields in this event might not be present. > --------------------------------------------------- > > Then there is this one that happens every 10 mins, the ip listed is > our > third DC > --------------------------------------------------- > Log Name: Security > Source: Microsoft-Windows-Security-Auditing > Date: 10/26/2009 3:30:06 PM > Event ID: 4771 > Task Category: Kerberos Authentication Service > Level: Information > Keywords: Audit Failure > User: N/A > Computer: AGRADC2.agraind.com > Description: > Kerberos pre-authentication failed. > Account Information: > Security ID: AGRA\Administrator > Account Name: Administrator > Service Information: > Service Name: krbtgt/agra > Network Information: > Client Address: ::ffff:10.0.1.249 > Client Port: 30051 > Additional Information: > Ticket Options: 0x40810010 > Failure Code: 0x18 > Pre-Authentication Type: 2 > Certificate Information: > Certificate Issuer Name: > Certificate Serial Number: > Certificate Thumbprint: > Certificate information is only provided if a certificate was used for > pre-authentication. > > Pre-authentication types, ticket options and failure codes are defined > in RFC 4120. > > If the ticket was malformed or damaged during transit and could not be > decrypted, then many fields in this event might not be present. > --------------------------------------------------- > > Then there are two of these ever 10 minutes on our Main DC > --------------------------------------------------- > Log Name: Security > Source: Microsoft-Windows-Security-Auditing > Date: 10/26/2009 3:38:15 PM > Event ID: 4769 > Task Category: Kerberos Service Ticket Operations > Level: Information > Keywords: Audit Failure > User: N/A > Computer: AGRADC2.agraind.com > Description: > A Kerberos service ticket was requested. > Account Information: > Account Name: AGRADC2$@AGRAIND.COM > Account Domain: AGRAIND.COM > Logon GUID: {00000000-0000-0000-0000-000000000000} > Service Information: > Service Name: krbtgt/AGRAIND.COM > Service ID: NULL SID > Network Information: > Client Address: ::1 > Client Port: 0 > Additional Information: > Ticket Options: 0x60810010 > Ticket Encryption Type: 0xffffffff > Failure Code: 0xe > Transited Services: - > This event is generated every time access is requested to a resource > such as a computer or a Windows service. The service name indicates > the resource to which access was requested. > > This event can be correlated with Windows logon events by comparing > the Logon GUID fields in each event. The logon event occurs on the > machine that was accessed, which is often a different machine than the > domain controller which issued the service ticket. > > Ticket options, encryption types, and failure codes are defined in RFC > 4120. --------------------------------------------------- > > Are all of these related to the two member servers having problems or > is this somthing deeper. > > "Zachary" <zdundore(a)agraind.com> wrote in message > news:uLJxJAmVKHA.220(a)TK2MSFTNGP02.phx.gbl... > >> Found one of the culprits. The Exchange service account for legacy >> access was set to the domain admin. This is found in the system >> manager>Administrative Groups and then right click your >> administrative group and on the general tab you will see this >> setting. I am still recieving this error yet from the exchange >> server: Any ideas? >> >> Event Type: Failure Audit >> Event Source: Security >> Event Category: Logon/Logoff >> Event ID: 529 >> Date: 10/26/2009 >> Time: 12:11:34 PM >> User: NT AUTHORITY\SYSTEM >> Computer: AGRAEXCH >> Description: >> Logon Failure: >> Reason: Unknown user name or bad password >> User Name: Administrator >> Domain: AGRA >> Logon Type: 3 >> Logon Process: NtLmSsp >> Authentication Package: NTLM >> Workstation Name: AGRAEXCH >> Caller User Name: - >> Caller Domain: - >> Caller Logon ID: - >> Caller Process ID: - >> Transited Services: - >> Source Network Address: - >> Source Port: - >> For more information, see Help and Support Center at >> http://go.microsoft.com/fwlink/events.asp. >> >> "Zachary" <zdundore(a)agraind.com> wrote in message >> news:OHVPB2lVKHA.1372(a)TK2MSFTNGP02.phx.gbl... >> >>> Additional references i have found. These describe my situation >>> also but >>> they have no solution. >>> http://www.eggheadcafe.com/software/aspnet/33326223/msexchangesa-loc >>> king-doma.aspx >>> http://antionline.com/archive/index.php/t-272867.html >>> "Zachary" <zdundore(a)agraind.com> wrote in message >>> news:eJ$1QqlVKHA.1372(a)TK2MSFTNGP02.phx.gbl... >>> >>>> Cross posting this to an exchange group. >>>> >>>> "Zachary" <zdundore(a)agraind.com> wrote in message >>>> news:ecI44ZlVKHA.2340(a)TK2MSFTNGP04.phx.gbl... >>>> >>>>> I found this error. When i look at PID 4968 it is mad.exe which >>>>> points to the MSExchangeSA service. I looked in the services MMC >>>>> and that service is set to log on as Local System. Why would it >>>>> be trying to use the domain admin account? >>>>> >>>>> Event Type: Failure Audit >>>>> Event Source: Security >>>>> Event Category: Logon/Logoff >>>>> Event ID: 529 >>>>> Date: 10/26/2009 >>>>> Time: 11:02:01 AM >>>>> User: NT AUTHORITY\SYSTEM >>>>> Computer: EXCHANGE >>>>> Description: >>>>> Logon Failure: >>>>> Reason: Unknown user name or bad password >>>>> User Name: Administrator >>>>> Domain: DOMAIN >>>>> Logon Type: 7 >>>>> Logon Process: Advapi >>>>> Authentication Package: Negotiate >>>>> Workstation Name: EXCHANGE >>>>> Caller User Name: EXCHANGE$ >>>>> Caller Domain: DOMAIN >>>>> Caller Logon ID: (0x0,0x3E7) >>>>> Caller Process ID: 4968 >>>>> Transited Services: - >>>>> Source Network Address: - >>>>> Source Port: - >>>>> For more information, see Help and Support Center at >>>>> http://go.microsoft.com/fwlink/events.asp. >>>>> >>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>>>> news:6cb2911d88a98cc246d902e505f(a)msnews.microsoft.com... >>>>> >>>>>> Hello Zachary, >>>>>> >>>>>> So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as >>>>>> listed in the event viewer entries? >>>>>> >>>>>> Also listed "0xc000006a" is bad password. >>>>>> >>>>>> Best regards >>>>>> >>>>>> Meinolf Weber >>>>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>>>> and >>>>>> confers no rights. >>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>> ** HELP us help YOU!!! >>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>> Ok, with that being the case, is there more detailed auditing i >>>>>>> can >>>>>>> turn on >>>>>>> to find out what service or app is attempting to make these >>>>>>> authentications? >>>>>>> When i look in the services mmc i don't see any services using >>>>>>> the >>>>>>> administrator account for validation and the only in house app >>>>>>> being >>>>>>> used is >>>>>>> our intranet site and that is clean. >>>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in >>>>>>> message >>>>>>> news:6cb2911d88a38cc246a772b26ea(a)msnews.microsoft.com... >>>>>>>> Hello Zachary, >>>>>>>> >>>>>>>> The domain administrator will automatically unlock, after being >>>>>>>> locked out >>>>>>>> >>>>>>>> as soon as the correct password is used. >>>>>>>> >>>>>>>> http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Def >>>>>>>> ault-d omain-administrator-account-is-locked_21003F00_.aspx >>>>>>>> >>>>>>>> Best regards >>>>>>>> >>>>>>>> Meinolf Weber >>>>>>>> Disclaimer: This posting is provided "AS IS" with no >>>>>>>> warranties, and >>>>>>>> confers no rights. >>>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>>> ** HELP us help YOU!!! >>>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>>> If that is the case, shouldn't the domain account be locked >>>>>>>>> out? >>>>>>>>> We >>>>>>>>> have a lockout policy and if a service or app attempts to >>>>>>>>> validate >>>>>>>>> credentials that may time unsuccessfully it should lock the >>>>>>>>> account >>>>>>>>> out. >>>>>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in >>>>>>>>> message >>>>>>>>> news:6cb2911d889b8cc24681c6128a8(a)msnews.microsoft.com... >>>>>>>>> >>>>>>>>>> Hello Zachary, >>>>>>>>>> >>>>>>>>>> Seems that there are still some services/applications running >>>>>>>>>> that need the password change. See also: >>>>>>>>>> http://chicagotech.net/netforums/viewtopic.php?t=4853 >>>>>>>>>> >>>>>>>>>> Best regards >>>>>>>>>> >>>>>>>>>> Meinolf Weber >>>>>>>>>> Disclaimer: This posting is provided "AS IS" with no >>>>>>>>>> warranties, >>>>>>>>>> and >>>>>>>>>> confers no rights. >>>>>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>>>>> ** HELP us help YOU!!! >>>>>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>>>>> Hi everyone, >>>>>>>>>>> >>>>>>>>>>> Recently I have performed a password change on the default >>>>>>>>>>> domain administrator account. Before the change was made >>>>>>>>>>> last Friday I made sure to find all services and scheduled >>>>>>>>>>> tasks in our network that were using the domain admin >>>>>>>>>>> account and changed them to use their own service account. >>>>>>>>>>> After the change all system functionality has been restored. >>>>>>>>>>> (I.E. Exchange, Blackberry, our ERP system, everything is >>>>>>>>>>> working) On top of that, the domain admin account isn't >>>>>>>>>>> getting locked out. That should mean that there isn't >>>>>>>>>>> anything with a stored password attempting to use the old >>>>>>>>>>> password. With all that said, however, I am still receiving >>>>>>>>>>> security failures in the event viewer on our primary DC. >>>>>>>>>>> The failures are below. Any help understanding these on >>>>>>>>>>> these would be appreciated. >>>>>>>>>>> >>>>>>>>>>> FYI - In doing research on the 4771 events I have found that >>>>>>>>>>> the failure code 0x18 usually means a bad password. What I >>>>>>>>>>> don't understand is that the two IP addresses listed with >>>>>>>>>>> those events are our backup DCs. >>>>>>>>>>> >>>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>>> >>>>>>>>>>> Log Name: Security >>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>> Date: 10/26/2009 8:32:08 AM >>>>>>>>>>> Event ID: 4771 >>>>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>>>> Level: Information >>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>> User: N/A >>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>> Description: >>>>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>>>> Account Information: >>>>>>>>>>> Security ID: domain\Administrator >>>>>>>>>>> Account Name: Administrator >>>>>>>>>>> Service Information: >>>>>>>>>>> Service Name: krbtgt/domain >>>>>>>>>>> Network Information: >>>>>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>>>>> Client Port: 4240 >>>>>>>>>>> Additional Information: >>>>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>>>> Failure Code: 0x18 >>>>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>>>> Certificate Information: >>>>>>>>>>> Certificate Issuer Name: >>>>>>>>>>> Certificate Serial Number: >>>>>>>>>>> Certificate Thumbprint: >>>>>>>>>>> Certificate information is only provided if a certificate >>>>>>>>>>> was >>>>>>>>>>> used >>>>>>>>>>> for >>>>>>>>>>> pre-authentication. >>>>>>>>>>> Pre-authentication types, ticket options and failure codes >>>>>>>>>>> are >>>>>>>>>>> defined in RFC 4120. >>>>>>>>>>> If the ticket was malformed or damaged during transit and >>>>>>>>>>> could >>>>>>>>>>> not be decrypted, then many fields in this event might not >>>>>>>>>>> be >>>>>>>>>>> present. >>>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>>> - >>>>>>>>>>> >>>>>>>>>>> Log Name: Security >>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>> Date: 10/26/2009 8:32:07 AM >>>>>>>>>>> Event ID: 4771 >>>>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>>>> Level: Information >>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>> User: N/A >>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>> Description: >>>>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>>>> Account Information: >>>>>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>>>>> Account Name: Administrator >>>>>>>>>>> Service Information: >>>>>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>>>>> Network Information: >>>>>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>>>>> Client Port: 4238 >>>>>>>>>>> Additional Information: >>>>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>>>> Failure Code: 0x18 >>>>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>>>> Certificate Information: >>>>>>>>>>> Certificate Issuer Name: >>>>>>>>>>> Certificate Serial Number: >>>>>>>>>>> Certificate Thumbprint: >>>>>>>>>>> Certificate information is only provided if a certificate >>>>>>>>>>> was >>>>>>>>>>> used >>>>>>>>>>> for >>>>>>>>>>> pre-authentication. >>>>>>>>>>> Pre-authentication types, ticket options and failure codes >>>>>>>>>>> are >>>>>>>>>>> defined in RFC 4120. >>>>>>>>>>> If the ticket was malformed or damaged during transit and >>>>>>>>>>> could >>>>>>>>>>> not be decrypted, then many fields in this event might not >>>>>>>>>>> be >>>>>>>>>>> present. >>>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>>> >>>>>>>>>>> Log Name: Security >>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>> Date: 10/26/2009 8:32:01 AM >>>>>>>>>>> Event ID: 4771 >>>>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>>>> Level: Information >>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>> User: N/A >>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>> Description: >>>>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>>>> Account Information: >>>>>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>>>>> Account Name: Administrator >>>>>>>>>>> Service Information: >>>>>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>>>>> Network Information: >>>>>>>>>>> Client Address: ::ffff:10.0.1.249 >>>>>>>>>>> Client Port: 21106 >>>>>>>>>>> Additional Information: >>>>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>>>> Failure Code: 0x18 >>>>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>>>> Certificate Information: >>>>>>>>>>> Certificate Issuer Name: >>>>>>>>>>> Certificate Serial Number: >>>>>>>>>>> Certificate Thumbprint: >>>>>>>>>>> Certificate information is only provided if a certificate >>>>>>>>>>> was >>>>>>>>>>> used >>>>>>>>>>> for >>>>>>>>>>> pre-authentication. >>>>>>>>>>> Pre-authentication types, ticket options and failure codes >>>>>>>>>>> are >>>>>>>>>>> defined in RFC 4120. >>>>>>>>>>> If the ticket was malformed or damaged during transit and >>>>>>>>>>> could >>>>>>>>>>> not be decrypted, then many fields in this event might not >>>>>>>>>>> be >>>>>>>>>>> present. >>>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>>> Log Name: Security >>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>> Date: 10/26/2009 8:31:31 AM >>>>>>>>>>> Event ID: 4776 >>>>>>>>>>> Task Category: Credential Validation >>>>>>>>>>> Level: Information >>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>> User: N/A >>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>> Description: >>>>>>>>>>> The domain controller attempted to validate the credentials >>>>>>>>>>> for >>>>>>>>>>> an >>>>>>>>>>> account. >>>>>>>>>>> Authentication Package: >>>>>>>>>>> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>>>> Logon Account: Administrator >>>>>>>>>>> Source Workstation: EXCHANGESERVER >>>>>>>>>>> Error Code: 0xc000006a >>>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>>> - >>>>>>>>>>> Log Name: Security >>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>>>>> Event ID: 4776 >>>>>>>>>>> Task Category: Credential Validation >>>>>>>>>>> Level: Information >>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>> User: N/A >>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>> Description: >>>>>>>>>>> The domain controller attempted to validate the credentials >>>>>>>>>>> for >>>>>>>>>>> an >>>>>>>>>>> account. >>>>>>>>>>> Authentication Package: >>>>>>>>>>> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>>>> Logon Account: administrator >>>>>>>>>>> Source Workstation: ERPSERVER >>>>>>>>>>> Error Code: 0xc000006a >>>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>>> Log Name: Security >>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>>>>> Event ID: 4776 >>>>>>>>>>> Task Category: Credential Validation >>>>>>>>>>> Level: Information >>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>> User: N/A >>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>> Description: >>>>>>>>>>> The domain controller attempted to validate the credentials >>>>>>>>>>> for >>>>>>>>>>> an >>>>>>>>>>> account. >>>>>>>>>>> Authentication Package: >>>>>>>>>>> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>>>> Logon Account: administrator >>>>>>>>>>> Source Workstation: SYTEUTIL >>>>>>>>>>> Error Code: 0xc000006a >>>>>>>>>>> ------------------------------------------------------------ >>>>>>>>>>> Log Name: Security >>>>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>>>> Date: 10/26/2009 8:27:01 AM >>>>>>>>>>> Event ID: 4769 >>>>>>>>>>> Task Category: Kerberos Service Ticket Operations >>>>>>>>>>> Level: Information >>>>>>>>>>> Keywords: Audit Failure >>>>>>>>>>> User: N/A >>>>>>>>>>> Computer: DC.domain.com >>>>>>>>>>> Description: >>>>>>>>>>> A Kerberos service ticket was requested. >>>>>>>>>>> Account Information: >>>>>>>>>>> Account Name: DC$@DOMAIN.COM >>>>>>>>>>> Account Domain: DOMAIN.COM >>>>>>>>>>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>>>>>>>>>> Service Information: >>>>>>>>>>> Service Name: krbtgt/DOMAIN.COM >>>>>>>>>>> Service ID: NULL SID >>>>>>>>>>> Network Information: >>>>>>>>>>> Client Address: ::1 >>>>>>>>>>> Client Port: 0 >>>>>>>>>>> Additional Information: >>>>>>>>>>> Ticket Options: 0x60810010 >>>>>>>>>>> Ticket Encryption Type: 0xffffffff >>>>>>>>>>> Failure Code: 0xe >>>>>>>>>>> Transited Services: - >>>>>>>>>>> This event is generated every time access is requested to a >>>>>>>>>>> resource >>>>>>>>>>> such as a computer or a Windows service. The service name >>>>>>>>>>> indicates >>>>>>>>>>> the resource to which access was requested. >>>>>>>>>>> This event can be correlated with Windows logon events by >>>>>>>>>>> comparing >>>>>>>>>>> the Logon GUID fields in each event. The logon event occurs >>>>>>>>>>> on >>>>>>>>>>> the >>>>>>>>>>> machine that was accessed, which is often a different >>>>>>>>>>> machine >>>>>>>>>>> than >>>>>>>>>>> the domain controller which issued the service ticket. >>>>>>>>>>> Ticket options, encryption types, and failure codes are >>>>>>>>>>> defined >>>>>>>>>>> in >>>>>>>>>>> RFC 4120. |