| Home | Register | Members | Search | Windows Vista Tips | File Database | Links |
 |
| Thread Tools | Display Modes |
|
Zachary
Guest
Posts: n/a
|
Hi everyone,
Recently I have performed a password change on the default domain administrator account. Before the change was made last Friday I made sure to find all services and scheduled tasks in our network that were using the domain admin account and changed them to use their own service account. After the change all system functionality has been restored. (I.E. Exchange, Blackberry, our ERP system, everything is working) On top of that, the domain admin account isn't getting locked out. That should mean that there isn't anything with a stored password attempting to use the old password. With all that said, however, I am still receiving security failures in the event viewer on our primary DC. The failures are below. Any help understanding these on these would be appreciated. FYI - In doing research on the 4771 events I have found that the failure code 0x18 usually means a bad password. What I don't understand is that the two IP addresses listed with those events are our backup DCs. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:08 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: domain\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/domain Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4240 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:07 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.254 Client Port: 4238 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:32:01 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: Kerberos pre-authentication failed. Account Information: Security ID: DOMAIN\Administrator Account Name: Administrator Service Information: Service Name: krbtgt/DOMAIN Network Information: Client Address: ::ffff:10.0.1.249 Client Port: 21106 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:31:31 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EXCHANGESERVER Error Code: 0xc000006a ------------------------------------------------------------- Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: ERPSERVER Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:28:49 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: administrator Source Workstation: SYTEUTIL Error Code: 0xc000006a ------------------------------------------------------------ Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/26/2009 8:27:01 AM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: DC.domain.com Description: A Kerberos service ticket was requested. Account Information: Account Name: DC$@DOMAIN.COM Account Domain: DOMAIN.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: krbtgt/DOMAIN.COM Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0xffffffff Failure Code: 0xe Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. |
|
|
|
|
|||
|
|||
|
|
|
| |
|
Meinolf Weber [MVP-DS]
Guest
Posts: n/a
|
Hello Zachary,
Seems that there are still some services/applications running that need the password change. See also: http://chicagotech.net/netforums/viewtopic.php?t=4853 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > Hi everyone, > > Recently I have performed a password change on the default domain > administrator account. Before the change was made last Friday I made > sure to find all services and scheduled tasks in our network that were > using the domain admin account and changed them to use their own > service account. After the change all system functionality has been > restored. (I.E. Exchange, Blackberry, our ERP system, everything is > working) On top of that, the domain admin account isn't getting > locked out. That should mean that there isn't anything with a stored > password attempting to use the old password. With all that said, > however, I am still receiving security failures in the event viewer on > our primary DC. The failures are below. Any help understanding these > on these would be appreciated. > > FYI - In doing research on the 4771 events I have found that the > failure code 0x18 usually means a bad password. What I don't > understand is that the two IP addresses listed with those events are > our backup DCs. > > ------------------------------------------------------------ > > Log Name: Security > Source: Microsoft-Windows-Security-Auditing > Date: 10/26/2009 8:32:08 AM > Event ID: 4771 > Task Category: Kerberos Authentication Service > Level: Information > Keywords: Audit Failure > User: N/A > Computer: DC.domain.com > Description: > Kerberos pre-authentication failed. > Account Information: > Security ID: domain\Administrator > Account Name: Administrator > Service Information: > Service Name: krbtgt/domain > Network Information: > Client Address: ::ffff:10.0.1.254 > Client Port: 4240 > Additional Information: > Ticket Options: 0x40810010 > Failure Code: 0x18 > Pre-Authentication Type: 2 > Certificate Information: > Certificate Issuer Name: > Certificate Serial Number: > Certificate Thumbprint: > Certificate information is only provided if a certificate was used for > pre-authentication. > > Pre-authentication types, ticket options and failure codes are defined > in RFC 4120. > > If the ticket was malformed or damaged during transit and could not be > decrypted, then many fields in this event might not be present. > > ------------------------------------------------------------- > > Log Name: Security > Source: Microsoft-Windows-Security-Auditing > Date: 10/26/2009 8:32:07 AM > Event ID: 4771 > Task Category: Kerberos Authentication Service > Level: Information > Keywords: Audit Failure > User: N/A > Computer: DC.domain.com > Description: > Kerberos pre-authentication failed. > Account Information: > Security ID: DOMAIN\Administrator > Account Name: Administrator > Service Information: > Service Name: krbtgt/DOMAIN > Network Information: > Client Address: ::ffff:10.0.1.254 > Client Port: 4238 > Additional Information: > Ticket Options: 0x40810010 > Failure Code: 0x18 > Pre-Authentication Type: 2 > Certificate Information: > Certificate Issuer Name: > Certificate Serial Number: > Certificate Thumbprint: > Certificate information is only provided if a certificate was used for > pre-authentication. > > Pre-authentication types, ticket options and failure codes are defined > in RFC 4120. > > If the ticket was malformed or damaged during transit and could not be > decrypted, then many fields in this event might not be present. > > ------------------------------------------------------------ > > Log Name: Security > Source: Microsoft-Windows-Security-Auditing > Date: 10/26/2009 8:32:01 AM > Event ID: 4771 > Task Category: Kerberos Authentication Service > Level: Information > Keywords: Audit Failure > User: N/A > Computer: DC.domain.com > Description: > Kerberos pre-authentication failed. > Account Information: > Security ID: DOMAIN\Administrator > Account Name: Administrator > Service Information: > Service Name: krbtgt/DOMAIN > Network Information: > Client Address: ::ffff:10.0.1.249 > Client Port: 21106 > Additional Information: > Ticket Options: 0x40810010 > Failure Code: 0x18 > Pre-Authentication Type: 2 > Certificate Information: > Certificate Issuer Name: > Certificate Serial Number: > Certificate Thumbprint: > Certificate information is only provided if a certificate was used for > pre-authentication. > > Pre-authentication types, ticket options and failure codes are defined > in RFC 4120. > > If the ticket was malformed or damaged during transit and could not be > decrypted, then many fields in this event might not be present. > ------------------------------------------------------------ > > Log Name: Security > Source: Microsoft-Windows-Security-Auditing > Date: 10/26/2009 8:31:31 AM > Event ID: 4776 > Task Category: Credential Validation > Level: Information > Keywords: Audit Failure > User: N/A > Computer: DC.domain.com > Description: > The domain controller attempted to validate the credentials for an > account. > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Logon Account: Administrator > Source Workstation: EXCHANGESERVER > Error Code: 0xc000006a > ------------------------------------------------------------- > Log Name: Security > Source: Microsoft-Windows-Security-Auditing > Date: 10/26/2009 8:28:49 AM > Event ID: 4776 > Task Category: Credential Validation > Level: Information > Keywords: Audit Failure > User: N/A > Computer: DC.domain.com > Description: > The domain controller attempted to validate the credentials for an > account. > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Logon Account: administrator > Source Workstation: ERPSERVER > Error Code: 0xc000006a > ------------------------------------------------------------ > Log Name: Security > Source: Microsoft-Windows-Security-Auditing > Date: 10/26/2009 8:28:49 AM > Event ID: 4776 > Task Category: Credential Validation > Level: Information > Keywords: Audit Failure > User: N/A > Computer: DC.domain.com > Description: > The domain controller attempted to validate the credentials for an > account. > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Logon Account: administrator > Source Workstation: SYTEUTIL > Error Code: 0xc000006a > ------------------------------------------------------------ > Log Name: Security > Source: Microsoft-Windows-Security-Auditing > Date: 10/26/2009 8:27:01 AM > Event ID: 4769 > Task Category: Kerberos Service Ticket Operations > Level: Information > Keywords: Audit Failure > User: N/A > Computer: DC.domain.com > Description: > A Kerberos service ticket was requested. > Account Information: > Account Name: DC$@DOMAIN.COM > Account Domain: DOMAIN.COM > Logon GUID: {00000000-0000-0000-0000-000000000000} > Service Information: > Service Name: krbtgt/DOMAIN.COM > Service ID: NULL SID > Network Information: > Client Address: ::1 > Client Port: 0 > Additional Information: > Ticket Options: 0x60810010 > Ticket Encryption Type: 0xffffffff > Failure Code: 0xe > Transited Services: - > This event is generated every time access is requested to a resource > such as a computer or a Windows service. The service name indicates > the resource to which access was requested. > > This event can be correlated with Windows logon events by comparing > the Logon GUID fields in each event. The logon event occurs on the > machine that was accessed, which is often a different machine than the > domain controller which issued the service ticket. > > Ticket options, encryption types, and failure codes are defined in RFC > 4120. > |
|
|
|
|
|||
|
|
|||
|
Zachary
Guest
Posts: n/a
|
If that is the case, shouldn't the domain account be locked out? We have a lockout policy and if a service or app attempts to validate credentials that may time unsuccessfully it should lock the account out. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:. com... > Hello Zachary, > > Seems that there are still some services/applications running that need > the password change. See also: > http://chicagotech.net/netforums/viewtopic.php?t=4853 > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and > confers no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > >> Hi everyone, >> >> Recently I have performed a password change on the default domain >> administrator account. Before the change was made last Friday I made >> sure to find all services and scheduled tasks in our network that were >> using the domain admin account and changed them to use their own >> service account. After the change all system functionality has been >> restored. (I.E. Exchange, Blackberry, our ERP system, everything is >> working) On top of that, the domain admin account isn't getting >> locked out. That should mean that there isn't anything with a stored >> password attempting to use the old password. With all that said, >> however, I am still receiving security failures in the event viewer on >> our primary DC. The failures are below. Any help understanding these >> on these would be appreciated. >> >> FYI - In doing research on the 4771 events I have found that the >> failure code 0x18 usually means a bad password. What I don't >> understand is that the two IP addresses listed with those events are >> our backup DCs. >> >> ------------------------------------------------------------ >> >> Log Name: Security >> Source: Microsoft-Windows-Security-Auditing >> Date: 10/26/2009 8:32:08 AM >> Event ID: 4771 >> Task Category: Kerberos Authentication Service >> Level: Information >> Keywords: Audit Failure >> User: N/A >> Computer: DC.domain.com >> Description: >> Kerberos pre-authentication failed. >> Account Information: >> Security ID: domain\Administrator >> Account Name: Administrator >> Service Information: >> Service Name: krbtgt/domain >> Network Information: >> Client Address: ::ffff:10.0.1.254 >> Client Port: 4240 >> Additional Information: >> Ticket Options: 0x40810010 >> Failure Code: 0x18 >> Pre-Authentication Type: 2 >> Certificate Information: >> Certificate Issuer Name: >> Certificate Serial Number: >> Certificate Thumbprint: >> Certificate information is only provided if a certificate was used for >> pre-authentication. >> >> Pre-authentication types, ticket options and failure codes are defined >> in RFC 4120. >> >> If the ticket was malformed or damaged during transit and could not be >> decrypted, then many fields in this event might not be present. >> >> ------------------------------------------------------------- >> >> Log Name: Security >> Source: Microsoft-Windows-Security-Auditing >> Date: 10/26/2009 8:32:07 AM >> Event ID: 4771 >> Task Category: Kerberos Authentication Service >> Level: Information >> Keywords: Audit Failure >> User: N/A >> Computer: DC.domain.com >> Description: >> Kerberos pre-authentication failed. >> Account Information: >> Security ID: DOMAIN\Administrator >> Account Name: Administrator >> Service Information: >> Service Name: krbtgt/DOMAIN >> Network Information: >> Client Address: ::ffff:10.0.1.254 >> Client Port: 4238 >> Additional Information: >> Ticket Options: 0x40810010 >> Failure Code: 0x18 >> Pre-Authentication Type: 2 >> Certificate Information: >> Certificate Issuer Name: >> Certificate Serial Number: >> Certificate Thumbprint: >> Certificate information is only provided if a certificate was used for >> pre-authentication. >> >> Pre-authentication types, ticket options and failure codes are defined >> in RFC 4120. >> >> If the ticket was malformed or damaged during transit and could not be >> decrypted, then many fields in this event might not be present. >> >> ------------------------------------------------------------ >> >> Log Name: Security >> Source: Microsoft-Windows-Security-Auditing >> Date: 10/26/2009 8:32:01 AM >> Event ID: 4771 >> Task Category: Kerberos Authentication Service >> Level: Information >> Keywords: Audit Failure >> User: N/A >> Computer: DC.domain.com >> Description: >> Kerberos pre-authentication failed. >> Account Information: >> Security ID: DOMAIN\Administrator >> Account Name: Administrator >> Service Information: >> Service Name: krbtgt/DOMAIN >> Network Information: >> Client Address: ::ffff:10.0.1.249 >> Client Port: 21106 >> Additional Information: >> Ticket Options: 0x40810010 >> Failure Code: 0x18 >> Pre-Authentication Type: 2 >> Certificate Information: >> Certificate Issuer Name: >> Certificate Serial Number: >> Certificate Thumbprint: >> Certificate information is only provided if a certificate was used for >> pre-authentication. >> >> Pre-authentication types, ticket options and failure codes are defined >> in RFC 4120. >> >> If the ticket was malformed or damaged during transit and could not be >> decrypted, then many fields in this event might not be present. >> ------------------------------------------------------------ >> >> Log Name: Security >> Source: Microsoft-Windows-Security-Auditing >> Date: 10/26/2009 8:31:31 AM >> Event ID: 4776 >> Task Category: Credential Validation >> Level: Information >> Keywords: Audit Failure >> User: N/A >> Computer: DC.domain.com >> Description: >> The domain controller attempted to validate the credentials for an >> account. >> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >> Logon Account: Administrator >> Source Workstation: EXCHANGESERVER >> Error Code: 0xc000006a >> ------------------------------------------------------------- >> Log Name: Security >> Source: Microsoft-Windows-Security-Auditing >> Date: 10/26/2009 8:28:49 AM >> Event ID: 4776 >> Task Category: Credential Validation >> Level: Information >> Keywords: Audit Failure >> User: N/A >> Computer: DC.domain.com >> Description: >> The domain controller attempted to validate the credentials for an >> account. >> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >> Logon Account: administrator >> Source Workstation: ERPSERVER >> Error Code: 0xc000006a >> ------------------------------------------------------------ >> Log Name: Security >> Source: Microsoft-Windows-Security-Auditing >> Date: 10/26/2009 8:28:49 AM >> Event ID: 4776 >> Task Category: Credential Validation >> Level: Information >> Keywords: Audit Failure >> User: N/A >> Computer: DC.domain.com >> Description: >> The domain controller attempted to validate the credentials for an >> account. >> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >> Logon Account: administrator >> Source Workstation: SYTEUTIL >> Error Code: 0xc000006a >> ------------------------------------------------------------ >> Log Name: Security >> Source: Microsoft-Windows-Security-Auditing >> Date: 10/26/2009 8:27:01 AM >> Event ID: 4769 >> Task Category: Kerberos Service Ticket Operations >> Level: Information >> Keywords: Audit Failure >> User: N/A >> Computer: DC.domain.com >> Description: >> A Kerberos service ticket was requested. >> Account Information: >> Account Name: DC$@DOMAIN.COM >> Account Domain: DOMAIN.COM >> Logon GUID: {00000000-0000-0000-0000-000000000000} >> Service Information: >> Service Name: krbtgt/DOMAIN.COM >> Service ID: NULL SID >> Network Information: >> Client Address: ::1 >> Client Port: 0 >> Additional Information: >> Ticket Options: 0x60810010 >> Ticket Encryption Type: 0xffffffff >> Failure Code: 0xe >> Transited Services: - >> This event is generated every time access is requested to a resource >> such as a computer or a Windows service. The service name indicates >> the resource to which access was requested. >> >> This event can be correlated with Windows logon events by comparing >> the Logon GUID fields in each event. The logon event occurs on the >> machine that was accessed, which is often a different machine than the >> domain controller which issued the service ticket. >> >> Ticket options, encryption types, and failure codes are defined in RFC >> 4120. >> > > |
|
|
|
|
|||
|
|
|||
|
Meinolf Weber [MVP-DS]
Guest
Posts: n/a
|
Hello Zachary, The domain administrator will automatically unlock, after being locked out as soon as the correct password is used. http://blogs.dirteam.com/blogs/jorge...21003F00_.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > If that is the case, shouldn't the domain account be locked out? We > have a lockout policy and if a service or app attempts to validate > credentials that may time unsuccessfully it should lock the account > out. > > "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message > news:. com... > >> Hello Zachary, >> >> Seems that there are still some services/applications running that >> need the password change. See also: >> http://chicagotech.net/netforums/viewtopic.php?t=4853 >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>> Hi everyone, >>> >>> Recently I have performed a password change on the default domain >>> administrator account. Before the change was made last Friday I >>> made sure to find all services and scheduled tasks in our network >>> that were using the domain admin account and changed them to use >>> their own service account. After the change all system functionality >>> has been restored. (I.E. Exchange, Blackberry, our ERP system, >>> everything is working) On top of that, the domain admin account >>> isn't getting locked out. That should mean that there isn't >>> anything with a stored password attempting to use the old password. >>> With all that said, however, I am still receiving security failures >>> in the event viewer on our primary DC. The failures are below. Any >>> help understanding these on these would be appreciated. >>> >>> FYI - In doing research on the 4771 events I have found that the >>> failure code 0x18 usually means a bad password. What I don't >>> understand is that the two IP addresses listed with those events are >>> our backup DCs. >>> >>> ------------------------------------------------------------ >>> >>> Log Name: Security >>> Source: Microsoft-Windows-Security-Auditing >>> Date: 10/26/2009 8:32:08 AM >>> Event ID: 4771 >>> Task Category: Kerberos Authentication Service >>> Level: Information >>> Keywords: Audit Failure >>> User: N/A >>> Computer: DC.domain.com >>> Description: >>> Kerberos pre-authentication failed. >>> Account Information: >>> Security ID: domain\Administrator >>> Account Name: Administrator >>> Service Information: >>> Service Name: krbtgt/domain >>> Network Information: >>> Client Address: ::ffff:10.0.1.254 >>> Client Port: 4240 >>> Additional Information: >>> Ticket Options: 0x40810010 >>> Failure Code: 0x18 >>> Pre-Authentication Type: 2 >>> Certificate Information: >>> Certificate Issuer Name: >>> Certificate Serial Number: >>> Certificate Thumbprint: >>> Certificate information is only provided if a certificate was used >>> for >>> pre-authentication. >>> Pre-authentication types, ticket options and failure codes are >>> defined in RFC 4120. >>> >>> If the ticket was malformed or damaged during transit and could not >>> be decrypted, then many fields in this event might not be present. >>> >>> ------------------------------------------------------------- >>> >>> Log Name: Security >>> Source: Microsoft-Windows-Security-Auditing >>> Date: 10/26/2009 8:32:07 AM >>> Event ID: 4771 >>> Task Category: Kerberos Authentication Service >>> Level: Information >>> Keywords: Audit Failure >>> User: N/A >>> Computer: DC.domain.com >>> Description: >>> Kerberos pre-authentication failed. >>> Account Information: >>> Security ID: DOMAIN\Administrator >>> Account Name: Administrator >>> Service Information: >>> Service Name: krbtgt/DOMAIN >>> Network Information: >>> Client Address: ::ffff:10.0.1.254 >>> Client Port: 4238 >>> Additional Information: >>> Ticket Options: 0x40810010 >>> Failure Code: 0x18 >>> Pre-Authentication Type: 2 >>> Certificate Information: >>> Certificate Issuer Name: >>> Certificate Serial Number: >>> Certificate Thumbprint: >>> Certificate information is only provided if a certificate was used >>> for >>> pre-authentication. >>> Pre-authentication types, ticket options and failure codes are >>> defined in RFC 4120. >>> >>> If the ticket was malformed or damaged during transit and could not >>> be decrypted, then many fields in this event might not be present. >>> >>> ------------------------------------------------------------ >>> >>> Log Name: Security >>> Source: Microsoft-Windows-Security-Auditing >>> Date: 10/26/2009 8:32:01 AM >>> Event ID: 4771 >>> Task Category: Kerberos Authentication Service >>> Level: Information >>> Keywords: Audit Failure >>> User: N/A >>> Computer: DC.domain.com >>> Description: >>> Kerberos pre-authentication failed. >>> Account Information: >>> Security ID: DOMAIN\Administrator >>> Account Name: Administrator >>> Service Information: >>> Service Name: krbtgt/DOMAIN >>> Network Information: >>> Client Address: ::ffff:10.0.1.249 >>> Client Port: 21106 >>> Additional Information: >>> Ticket Options: 0x40810010 >>> Failure Code: 0x18 >>> Pre-Authentication Type: 2 >>> Certificate Information: >>> Certificate Issuer Name: >>> Certificate Serial Number: >>> Certificate Thumbprint: >>> Certificate information is only provided if a certificate was used >>> for >>> pre-authentication. >>> Pre-authentication types, ticket options and failure codes are >>> defined in RFC 4120. >>> >>> If the ticket was malformed or damaged during transit and could not >>> be decrypted, then many fields in this event might not be present. >>> ------------------------------------------------------------ >>> >>> Log Name: Security >>> Source: Microsoft-Windows-Security-Auditing >>> Date: 10/26/2009 8:31:31 AM >>> Event ID: 4776 >>> Task Category: Credential Validation >>> Level: Information >>> Keywords: Audit Failure >>> User: N/A >>> Computer: DC.domain.com >>> Description: >>> The domain controller attempted to validate the credentials for an >>> account. >>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>> Logon Account: Administrator >>> Source Workstation: EXCHANGESERVER >>> Error Code: 0xc000006a >>> ------------------------------------------------------------- >>> Log Name: Security >>> Source: Microsoft-Windows-Security-Auditing >>> Date: 10/26/2009 8:28:49 AM >>> Event ID: 4776 >>> Task Category: Credential Validation >>> Level: Information >>> Keywords: Audit Failure >>> User: N/A >>> Computer: DC.domain.com >>> Description: >>> The domain controller attempted to validate the credentials for an >>> account. >>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>> Logon Account: administrator >>> Source Workstation: ERPSERVER >>> Error Code: 0xc000006a >>> ------------------------------------------------------------ >>> Log Name: Security >>> Source: Microsoft-Windows-Security-Auditing >>> Date: 10/26/2009 8:28:49 AM >>> Event ID: 4776 >>> Task Category: Credential Validation >>> Level: Information >>> Keywords: Audit Failure >>> User: N/A >>> Computer: DC.domain.com >>> Description: >>> The domain controller attempted to validate the credentials for an >>> account. >>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>> Logon Account: administrator >>> Source Workstation: SYTEUTIL >>> Error Code: 0xc000006a >>> ------------------------------------------------------------ >>> Log Name: Security >>> Source: Microsoft-Windows-Security-Auditing >>> Date: 10/26/2009 8:27:01 AM >>> Event ID: 4769 >>> Task Category: Kerberos Service Ticket Operations >>> Level: Information >>> Keywords: Audit Failure >>> User: N/A >>> Computer: DC.domain.com >>> Description: >>> A Kerberos service ticket was requested. >>> Account Information: >>> Account Name: DC$@DOMAIN.COM >>> Account Domain: DOMAIN.COM >>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>> Service Information: >>> Service Name: krbtgt/DOMAIN.COM >>> Service ID: NULL SID >>> Network Information: >>> Client Address: ::1 >>> Client Port: 0 >>> Additional Information: >>> Ticket Options: 0x60810010 >>> Ticket Encryption Type: 0xffffffff >>> Failure Code: 0xe >>> Transited Services: - >>> This event is generated every time access is requested to a resource >>> such as a computer or a Windows service. The service name indicates >>> the resource to which access was requested. >>> This event can be correlated with Windows logon events by comparing >>> the Logon GUID fields in each event. The logon event occurs on the >>> machine that was accessed, which is often a different machine than >>> the domain controller which issued the service ticket. >>> >>> Ticket options, encryption types, and failure codes are defined in >>> RFC 4120. >>> |
|
|
|
|
|||
|
|
|||
|
Zachary
Guest
Posts: n/a
|
Ok, with that being the case, is there more detailed auditing i can turn on
to find out what service or app is attempting to make these authentications? When i look in the services mmc i don't see any services using the administrator account for validation and the only in house app being used is our intranet site and that is clean. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:. com... > Hello Zachary, > > The domain administrator will automatically unlock, after being locked out > as soon as the correct password is used. > http://blogs.dirteam.com/blogs/jorge...21003F00_.aspx > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and > confers no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > >> If that is the case, shouldn't the domain account be locked out? We >> have a lockout policy and if a service or app attempts to validate >> credentials that may time unsuccessfully it should lock the account >> out. >> >> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >> news:. com... >> >>> Hello Zachary, >>> >>> Seems that there are still some services/applications running that >>> need the password change. See also: >>> http://chicagotech.net/netforums/viewtopic.php?t=4853 >>> >>> Best regards >>> >>> Meinolf Weber >>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>> confers no rights. >>> ** Please do NOT email, only reply to Newsgroups >>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>> Hi everyone, >>>> >>>> Recently I have performed a password change on the default domain >>>> administrator account. Before the change was made last Friday I >>>> made sure to find all services and scheduled tasks in our network >>>> that were using the domain admin account and changed them to use >>>> their own service account. After the change all system functionality >>>> has been restored. (I.E. Exchange, Blackberry, our ERP system, >>>> everything is working) On top of that, the domain admin account >>>> isn't getting locked out. That should mean that there isn't >>>> anything with a stored password attempting to use the old password. >>>> With all that said, however, I am still receiving security failures >>>> in the event viewer on our primary DC. The failures are below. Any >>>> help understanding these on these would be appreciated. >>>> >>>> FYI - In doing research on the 4771 events I have found that the >>>> failure code 0x18 usually means a bad password. What I don't >>>> understand is that the two IP addresses listed with those events are >>>> our backup DCs. >>>> >>>> ------------------------------------------------------------ >>>> >>>> Log Name: Security >>>> Source: Microsoft-Windows-Security-Auditing >>>> Date: 10/26/2009 8:32:08 AM >>>> Event ID: 4771 >>>> Task Category: Kerberos Authentication Service >>>> Level: Information >>>> Keywords: Audit Failure >>>> User: N/A >>>> Computer: DC.domain.com >>>> Description: >>>> Kerberos pre-authentication failed. >>>> Account Information: >>>> Security ID: domain\Administrator >>>> Account Name: Administrator >>>> Service Information: >>>> Service Name: krbtgt/domain >>>> Network Information: >>>> Client Address: ::ffff:10.0.1.254 >>>> Client Port: 4240 >>>> Additional Information: >>>> Ticket Options: 0x40810010 >>>> Failure Code: 0x18 >>>> Pre-Authentication Type: 2 >>>> Certificate Information: >>>> Certificate Issuer Name: >>>> Certificate Serial Number: >>>> Certificate Thumbprint: >>>> Certificate information is only provided if a certificate was used >>>> for >>>> pre-authentication. >>>> Pre-authentication types, ticket options and failure codes are >>>> defined in RFC 4120. >>>> >>>> If the ticket was malformed or damaged during transit and could not >>>> be decrypted, then many fields in this event might not be present. >>>> >>>> ------------------------------------------------------------- >>>> >>>> Log Name: Security >>>> Source: Microsoft-Windows-Security-Auditing >>>> Date: 10/26/2009 8:32:07 AM >>>> Event ID: 4771 >>>> Task Category: Kerberos Authentication Service >>>> Level: Information >>>> Keywords: Audit Failure >>>> User: N/A >>>> Computer: DC.domain.com >>>> Description: >>>> Kerberos pre-authentication failed. >>>> Account Information: >>>> Security ID: DOMAIN\Administrator >>>> Account Name: Administrator >>>> Service Information: >>>> Service Name: krbtgt/DOMAIN >>>> Network Information: >>>> Client Address: ::ffff:10.0.1.254 >>>> Client Port: 4238 >>>> Additional Information: >>>> Ticket Options: 0x40810010 >>>> Failure Code: 0x18 >>>> Pre-Authentication Type: 2 >>>> Certificate Information: >>>> Certificate Issuer Name: >>>> Certificate Serial Number: >>>> Certificate Thumbprint: >>>> Certificate information is only provided if a certificate was used >>>> for >>>> pre-authentication. >>>> Pre-authentication types, ticket options and failure codes are >>>> defined in RFC 4120. >>>> >>>> If the ticket was malformed or damaged during transit and could not >>>> be decrypted, then many fields in this event might not be present. >>>> >>>> ------------------------------------------------------------ >>>> >>>> Log Name: Security >>>> Source: Microsoft-Windows-Security-Auditing >>>> Date: 10/26/2009 8:32:01 AM >>>> Event ID: 4771 >>>> Task Category: Kerberos Authentication Service >>>> Level: Information >>>> Keywords: Audit Failure >>>> User: N/A >>>> Computer: DC.domain.com >>>> Description: >>>> Kerberos pre-authentication failed. >>>> Account Information: >>>> Security ID: DOMAIN\Administrator >>>> Account Name: Administrator >>>> Service Information: >>>> Service Name: krbtgt/DOMAIN >>>> Network Information: >>>> Client Address: ::ffff:10.0.1.249 >>>> Client Port: 21106 >>>> Additional Information: >>>> Ticket Options: 0x40810010 >>>> Failure Code: 0x18 >>>> Pre-Authentication Type: 2 >>>> Certificate Information: >>>> Certificate Issuer Name: >>>> Certificate Serial Number: >>>> Certificate Thumbprint: >>>> Certificate information is only provided if a certificate was used >>>> for >>>> pre-authentication. >>>> Pre-authentication types, ticket options and failure codes are >>>> defined in RFC 4120. >>>> >>>> If the ticket was malformed or damaged during transit and could not >>>> be decrypted, then many fields in this event might not be present. >>>> ------------------------------------------------------------ >>>> >>>> Log Name: Security >>>> Source: Microsoft-Windows-Security-Auditing >>>> Date: 10/26/2009 8:31:31 AM >>>> Event ID: 4776 >>>> Task Category: Credential Validation >>>> Level: Information >>>> Keywords: Audit Failure >>>> User: N/A >>>> Computer: DC.domain.com >>>> Description: >>>> The domain controller attempted to validate the credentials for an >>>> account. >>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>> Logon Account: Administrator >>>> Source Workstation: EXCHANGESERVER >>>> Error Code: 0xc000006a >>>> ------------------------------------------------------------- >>>> Log Name: Security >>>> Source: Microsoft-Windows-Security-Auditing >>>> Date: 10/26/2009 8:28:49 AM >>>> Event ID: 4776 >>>> Task Category: Credential Validation >>>> Level: Information >>>> Keywords: Audit Failure >>>> User: N/A >>>> Computer: DC.domain.com >>>> Description: >>>> The domain controller attempted to validate the credentials for an >>>> account. >>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>> Logon Account: administrator >>>> Source Workstation: ERPSERVER >>>> Error Code: 0xc000006a >>>> ------------------------------------------------------------ >>>> Log Name: Security >>>> Source: Microsoft-Windows-Security-Auditing >>>> Date: 10/26/2009 8:28:49 AM >>>> Event ID: 4776 >>>> Task Category: Credential Validation >>>> Level: Information >>>> Keywords: Audit Failure >>>> User: N/A >>>> Computer: DC.domain.com >>>> Description: >>>> The domain controller attempted to validate the credentials for an >>>> account. >>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>> Logon Account: administrator >>>> Source Workstation: SYTEUTIL >>>> Error Code: 0xc000006a >>>> ------------------------------------------------------------ >>>> Log Name: Security >>>> Source: Microsoft-Windows-Security-Auditing >>>> Date: 10/26/2009 8:27:01 AM >>>> Event ID: 4769 >>>> Task Category: Kerberos Service Ticket Operations >>>> Level: Information >>>> Keywords: Audit Failure >>>> User: N/A >>>> Computer: DC.domain.com >>>> Description: >>>> A Kerberos service ticket was requested. >>>> Account Information: >>>> Account Name: DC$@DOMAIN.COM >>>> Account Domain: DOMAIN.COM >>>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>>> Service Information: >>>> Service Name: krbtgt/DOMAIN.COM >>>> Service ID: NULL SID >>>> Network Information: >>>> Client Address: ::1 >>>> Client Port: 0 >>>> Additional Information: >>>> Ticket Options: 0x60810010 >>>> Ticket Encryption Type: 0xffffffff >>>> Failure Code: 0xe >>>> Transited Services: - >>>> This event is generated every time access is requested to a resource >>>> such as a computer or a Windows service. The service name indicates >>>> the resource to which access was requested. >>>> This event can be correlated with Windows logon events by comparing >>>> the Logon GUID fields in each event. The logon event occurs on the >>>> machine that was accessed, which is often a different machine than >>>> the domain controller which issued the service ticket. >>>> >>>> Ticket options, encryption types, and failure codes are defined in >>>> RFC 4120. >>>> > > |
|
|
|
|
|||
|
|
|||
|
Meinolf Weber [MVP-DS]
Guest
Posts: n/a
|
Hello Zachary,
So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed in the event viewer entries? Also listed "0xc000006a" is bad password. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > Ok, with that being the case, is there more detailed auditing i can > turn on > to find out what service or app is attempting to make these > authentications? > When i look in the services mmc i don't see any services using the > administrator account for validation and the only in house app being > used is > our intranet site and that is clean. > "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message > news:. com... >> Hello Zachary, >> >> The domain administrator will automatically unlock, after being >> locked out >> >> as soon as the correct password is used. >> >> http://blogs.dirteam.com/blogs/jorge.../The-Default-d >> omain-administrator-account-is-locked_21003F00_.aspx >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>> If that is the case, shouldn't the domain account be locked out? We >>> have a lockout policy and if a service or app attempts to validate >>> credentials that may time unsuccessfully it should lock the account >>> out. >>> >>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>> news:. com... >>> >>>> Hello Zachary, >>>> >>>> Seems that there are still some services/applications running that >>>> need the password change. See also: >>>> http://chicagotech.net/netforums/viewtopic.php?t=4853 >>>> >>>> Best regards >>>> >>>> Meinolf Weber >>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>> and >>>> confers no rights. >>>> ** Please do NOT email, only reply to Newsgroups >>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>> Hi everyone, >>>>> >>>>> Recently I have performed a password change on the default domain >>>>> administrator account. Before the change was made last Friday I >>>>> made sure to find all services and scheduled tasks in our network >>>>> that were using the domain admin account and changed them to use >>>>> their own service account. After the change all system >>>>> functionality has been restored. (I.E. Exchange, Blackberry, our >>>>> ERP system, everything is working) On top of that, the domain >>>>> admin account isn't getting locked out. That should mean that >>>>> there isn't anything with a stored password attempting to use the >>>>> old password. With all that said, however, I am still receiving >>>>> security failures in the event viewer on our primary DC. The >>>>> failures are below. Any help understanding these on these would >>>>> be appreciated. >>>>> >>>>> FYI - In doing research on the 4771 events I have found that the >>>>> failure code 0x18 usually means a bad password. What I don't >>>>> understand is that the two IP addresses listed with those events >>>>> are our backup DCs. >>>>> >>>>> ------------------------------------------------------------ >>>>> >>>>> Log Name: Security >>>>> Source: Microsoft-Windows-Security-Auditing >>>>> Date: 10/26/2009 8:32:08 AM >>>>> Event ID: 4771 >>>>> Task Category: Kerberos Authentication Service >>>>> Level: Information >>>>> Keywords: Audit Failure >>>>> User: N/A >>>>> Computer: DC.domain.com >>>>> Description: >>>>> Kerberos pre-authentication failed. >>>>> Account Information: >>>>> Security ID: domain\Administrator >>>>> Account Name: Administrator >>>>> Service Information: >>>>> Service Name: krbtgt/domain >>>>> Network Information: >>>>> Client Address: ::ffff:10.0.1.254 >>>>> Client Port: 4240 >>>>> Additional Information: >>>>> Ticket Options: 0x40810010 >>>>> Failure Code: 0x18 >>>>> Pre-Authentication Type: 2 >>>>> Certificate Information: >>>>> Certificate Issuer Name: >>>>> Certificate Serial Number: >>>>> Certificate Thumbprint: >>>>> Certificate information is only provided if a certificate was used >>>>> for >>>>> pre-authentication. >>>>> Pre-authentication types, ticket options and failure codes are >>>>> defined in RFC 4120. >>>>> If the ticket was malformed or damaged during transit and could >>>>> not be decrypted, then many fields in this event might not be >>>>> present. >>>>> >>>>> ------------------------------------------------------------- >>>>> >>>>> Log Name: Security >>>>> Source: Microsoft-Windows-Security-Auditing >>>>> Date: 10/26/2009 8:32:07 AM >>>>> Event ID: 4771 >>>>> Task Category: Kerberos Authentication Service >>>>> Level: Information >>>>> Keywords: Audit Failure >>>>> User: N/A >>>>> Computer: DC.domain.com >>>>> Description: >>>>> Kerberos pre-authentication failed. >>>>> Account Information: >>>>> Security ID: DOMAIN\Administrator >>>>> Account Name: Administrator >>>>> Service Information: >>>>> Service Name: krbtgt/DOMAIN >>>>> Network Information: >>>>> Client Address: ::ffff:10.0.1.254 >>>>> Client Port: 4238 >>>>> Additional Information: >>>>> Ticket Options: 0x40810010 >>>>> Failure Code: 0x18 >>>>> Pre-Authentication Type: 2 >>>>> Certificate Information: >>>>> Certificate Issuer Name: >>>>> Certificate Serial Number: >>>>> Certificate Thumbprint: >>>>> Certificate information is only provided if a certificate was used >>>>> for >>>>> pre-authentication. >>>>> Pre-authentication types, ticket options and failure codes are >>>>> defined in RFC 4120. >>>>> If the ticket was malformed or damaged during transit and could >>>>> not be decrypted, then many fields in this event might not be >>>>> present. >>>>> >>>>> ------------------------------------------------------------ >>>>> >>>>> Log Name: Security >>>>> Source: Microsoft-Windows-Security-Auditing >>>>> Date: 10/26/2009 8:32:01 AM >>>>> Event ID: 4771 >>>>> Task Category: Kerberos Authentication Service >>>>> Level: Information >>>>> Keywords: Audit Failure >>>>> User: N/A >>>>> Computer: DC.domain.com >>>>> Description: >>>>> Kerberos pre-authentication failed. >>>>> Account Information: >>>>> Security ID: DOMAIN\Administrator >>>>> Account Name: Administrator >>>>> Service Information: >>>>> Service Name: krbtgt/DOMAIN >>>>> Network Information: >>>>> Client Address: ::ffff:10.0.1.249 >>>>> Client Port: 21106 >>>>> Additional Information: >>>>> Ticket Options: 0x40810010 >>>>> Failure Code: 0x18 >>>>> Pre-Authentication Type: 2 >>>>> Certificate Information: >>>>> Certificate Issuer Name: >>>>> Certificate Serial Number: >>>>> Certificate Thumbprint: >>>>> Certificate information is only provided if a certificate was used >>>>> for >>>>> pre-authentication. >>>>> Pre-authentication types, ticket options and failure codes are >>>>> defined in RFC 4120. >>>>> If the ticket was malformed or damaged during transit and could >>>>> not be decrypted, then many fields in this event might not be >>>>> present. >>>>> ------------------------------------------------------------ >>>>> >>>>> Log Name: Security >>>>> Source: Microsoft-Windows-Security-Auditing >>>>> Date: 10/26/2009 8:31:31 AM >>>>> Event ID: 4776 >>>>> Task Category: Credential Validation >>>>> Level: Information >>>>> Keywords: Audit Failure >>>>> User: N/A >>>>> Computer: DC.domain.com >>>>> Description: >>>>> The domain controller attempted to validate the credentials for an >>>>> account. >>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>> Logon Account: Administrator >>>>> Source Workstation: EXCHANGESERVER >>>>> Error Code: 0xc000006a >>>>> ------------------------------------------------------------- >>>>> Log Name: Security >>>>> Source: Microsoft-Windows-Security-Auditing >>>>> Date: 10/26/2009 8:28:49 AM >>>>> Event ID: 4776 >>>>> Task Category: Credential Validation >>>>> Level: Information >>>>> Keywords: Audit Failure >>>>> User: N/A >>>>> Computer: DC.domain.com >>>>> Description: >>>>> The domain controller attempted to validate the credentials for an >>>>> account. >>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>> Logon Account: administrator >>>>> Source Workstation: ERPSERVER >>>>> Error Code: 0xc000006a >>>>> ------------------------------------------------------------ >>>>> Log Name: Security >>>>> Source: Microsoft-Windows-Security-Auditing >>>>> Date: 10/26/2009 8:28:49 AM >>>>> Event ID: 4776 >>>>> Task Category: Credential Validation >>>>> Level: Information >>>>> Keywords: Audit Failure >>>>> User: N/A >>>>> Computer: DC.domain.com >>>>> Description: >>>>> The domain controller attempted to validate the credentials for an >>>>> account. >>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>> Logon Account: administrator >>>>> Source Workstation: SYTEUTIL >>>>> Error Code: 0xc000006a >>>>> ------------------------------------------------------------ >>>>> Log Name: Security >>>>> Source: Microsoft-Windows-Security-Auditing >>>>> Date: 10/26/2009 8:27:01 AM >>>>> Event ID: 4769 >>>>> Task Category: Kerberos Service Ticket Operations >>>>> Level: Information >>>>> Keywords: Audit Failure >>>>> User: N/A >>>>> Computer: DC.domain.com >>>>> Description: >>>>> A Kerberos service ticket was requested. >>>>> Account Information: >>>>> Account Name: DC$@DOMAIN.COM >>>>> Account Domain: DOMAIN.COM >>>>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>>>> Service Information: >>>>> Service Name: krbtgt/DOMAIN.COM >>>>> Service ID: NULL SID >>>>> Network Information: >>>>> Client Address: ::1 >>>>> Client Port: 0 >>>>> Additional Information: >>>>> Ticket Options: 0x60810010 >>>>> Ticket Encryption Type: 0xffffffff >>>>> Failure Code: 0xe >>>>> Transited Services: - >>>>> This event is generated every time access is requested to a >>>>> resource >>>>> such as a computer or a Windows service. The service name >>>>> indicates >>>>> the resource to which access was requested. >>>>> This event can be correlated with Windows logon events by >>>>> comparing >>>>> the Logon GUID fields in each event. The logon event occurs on >>>>> the >>>>> machine that was accessed, which is often a different machine than >>>>> the domain controller which issued the service ticket. >>>>> Ticket options, encryption types, and failure codes are defined in >>>>> RFC 4120. >>>>> |
|
|
|
|
|||
|
|
|||
|
Zachary
Guest
Posts: n/a
|
I found this error. When i look at PID 4968 it is mad.exe which points to
the MSExchangeSA service. I looked in the services MMC and that service is set to log on as Local System. Why would it be trying to use the domain admin account? Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 11:02:01 AM User: NT AUTHORITY\SYSTEM Computer: EXCHANGE Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: DOMAIN Logon Type: 7 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: EXCHANGE Caller User Name: EXCHANGE$ Caller Domain: DOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4968 Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message news:. com... > Hello Zachary, > > So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed > in the event viewer entries? > > Also listed "0xc000006a" is bad password. > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and > confers no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > >> Ok, with that being the case, is there more detailed auditing i can >> turn on >> to find out what service or app is attempting to make these >> authentications? >> When i look in the services mmc i don't see any services using the >> administrator account for validation and the only in house app being >> used is >> our intranet site and that is clean. >> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >> news:. com... >>> Hello Zachary, >>> >>> The domain administrator will automatically unlock, after being >>> locked out >>> >>> as soon as the correct password is used. >>> >>> http://blogs.dirteam.com/blogs/jorge.../The-Default-d >>> omain-administrator-account-is-locked_21003F00_.aspx >>> >>> Best regards >>> >>> Meinolf Weber >>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>> confers no rights. >>> ** Please do NOT email, only reply to Newsgroups >>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>> If that is the case, shouldn't the domain account be locked out? We >>>> have a lockout policy and if a service or app attempts to validate >>>> credentials that may time unsuccessfully it should lock the account >>>> out. >>>> >>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>>> news:. com... >>>> >>>>> Hello Zachary, >>>>> >>>>> Seems that there are still some services/applications running that >>>>> need the password change. See also: >>>>> http://chicagotech.net/netforums/viewtopic.php?t=4853 >>>>> >>>>> Best regards >>>>> >>>>> Meinolf Weber >>>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>>> and >>>>> confers no rights. >>>>> ** Please do NOT email, only reply to Newsgroups >>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>> Hi everyone, >>>>>> >>>>>> Recently I have performed a password change on the default domain >>>>>> administrator account. Before the change was made last Friday I >>>>>> made sure to find all services and scheduled tasks in our network >>>>>> that were using the domain admin account and changed them to use >>>>>> their own service account. After the change all system >>>>>> functionality has been restored. (I.E. Exchange, Blackberry, our >>>>>> ERP system, everything is working) On top of that, the domain >>>>>> admin account isn't getting locked out. That should mean that >>>>>> there isn't anything with a stored password attempting to use the >>>>>> old password. With all that said, however, I am still receiving >>>>>> security failures in the event viewer on our primary DC. The >>>>>> failures are below. Any help understanding these on these would >>>>>> be appreciated. >>>>>> >>>>>> FYI - In doing research on the 4771 events I have found that the >>>>>> failure code 0x18 usually means a bad password. What I don't >>>>>> understand is that the two IP addresses listed with those events >>>>>> are our backup DCs. >>>>>> >>>>>> ------------------------------------------------------------ >>>>>> >>>>>> Log Name: Security >>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>> Date: 10/26/2009 8:32:08 AM >>>>>> Event ID: 4771 >>>>>> Task Category: Kerberos Authentication Service >>>>>> Level: Information >>>>>> Keywords: Audit Failure >>>>>> User: N/A >>>>>> Computer: DC.domain.com >>>>>> Description: >>>>>> Kerberos pre-authentication failed. >>>>>> Account Information: >>>>>> Security ID: domain\Administrator >>>>>> Account Name: Administrator >>>>>> Service Information: >>>>>> Service Name: krbtgt/domain >>>>>> Network Information: >>>>>> Client Address: ::ffff:10.0.1.254 >>>>>> Client Port: 4240 >>>>>> Additional Information: >>>>>> Ticket Options: 0x40810010 >>>>>> Failure Code: 0x18 >>>>>> Pre-Authentication Type: 2 >>>>>> Certificate Information: >>>>>> Certificate Issuer Name: >>>>>> Certificate Serial Number: >>>>>> Certificate Thumbprint: >>>>>> Certificate information is only provided if a certificate was used >>>>>> for >>>>>> pre-authentication. >>>>>> Pre-authentication types, ticket options and failure codes are >>>>>> defined in RFC 4120. >>>>>> If the ticket was malformed or damaged during transit and could >>>>>> not be decrypted, then many fields in this event might not be >>>>>> present. >>>>>> >>>>>> ------------------------------------------------------------- >>>>>> >>>>>> Log Name: Security >>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>> Date: 10/26/2009 8:32:07 AM >>>>>> Event ID: 4771 >>>>>> Task Category: Kerberos Authentication Service >>>>>> Level: Information >>>>>> Keywords: Audit Failure >>>>>> User: N/A >>>>>> Computer: DC.domain.com >>>>>> Description: >>>>>> Kerberos pre-authentication failed. >>>>>> Account Information: >>>>>> Security ID: DOMAIN\Administrator >>>>>> Account Name: Administrator >>>>>> Service Information: >>>>>> Service Name: krbtgt/DOMAIN >>>>>> Network Information: >>>>>> Client Address: ::ffff:10.0.1.254 >>>>>> Client Port: 4238 >>>>>> Additional Information: >>>>>> Ticket Options: 0x40810010 >>>>>> Failure Code: 0x18 >>>>>> Pre-Authentication Type: 2 >>>>>> Certificate Information: >>>>>> Certificate Issuer Name: >>>>>> Certificate Serial Number: >>>>>> Certificate Thumbprint: >>>>>> Certificate information is only provided if a certificate was used >>>>>> for >>>>>> pre-authentication. >>>>>> Pre-authentication types, ticket options and failure codes are >>>>>> defined in RFC 4120. >>>>>> If the ticket was malformed or damaged during transit and could >>>>>> not be decrypted, then many fields in this event might not be >>>>>> present. >>>>>> >>>>>> ------------------------------------------------------------ >>>>>> >>>>>> Log Name: Security >>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>> Date: 10/26/2009 8:32:01 AM >>>>>> Event ID: 4771 >>>>>> Task Category: Kerberos Authentication Service >>>>>> Level: Information >>>>>> Keywords: Audit Failure >>>>>> User: N/A >>>>>> Computer: DC.domain.com >>>>>> Description: >>>>>> Kerberos pre-authentication failed. >>>>>> Account Information: >>>>>> Security ID: DOMAIN\Administrator >>>>>> Account Name: Administrator >>>>>> Service Information: >>>>>> Service Name: krbtgt/DOMAIN >>>>>> Network Information: >>>>>> Client Address: ::ffff:10.0.1.249 >>>>>> Client Port: 21106 >>>>>> Additional Information: >>>>>> Ticket Options: 0x40810010 >>>>>> Failure Code: 0x18 >>>>>> Pre-Authentication Type: 2 >>>>>> Certificate Information: >>>>>> Certificate Issuer Name: >>>>>> Certificate Serial Number: >>>>>> Certificate Thumbprint: >>>>>> Certificate information is only provided if a certificate was used >>>>>> for >>>>>> pre-authentication. >>>>>> Pre-authentication types, ticket options and failure codes are >>>>>> defined in RFC 4120. >>>>>> If the ticket was malformed or damaged during transit and could >>>>>> not be decrypted, then many fields in this event might not be >>>>>> present. >>>>>> ------------------------------------------------------------ >>>>>> >>>>>> Log Name: Security >>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>> Date: 10/26/2009 8:31:31 AM >>>>>> Event ID: 4776 >>>>>> Task Category: Credential Validation >>>>>> Level: Information >>>>>> Keywords: Audit Failure >>>>>> User: N/A >>>>>> Computer: DC.domain.com >>>>>> Description: >>>>>> The domain controller attempted to validate the credentials for an >>>>>> account. >>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>> Logon Account: Administrator >>>>>> Source Workstation: EXCHANGESERVER >>>>>> Error Code: 0xc000006a >>>>>> ------------------------------------------------------------- >>>>>> Log Name: Security >>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>> Date: 10/26/2009 8:28:49 AM >>>>>> Event ID: 4776 >>>>>> Task Category: Credential Validation >>>>>> Level: Information >>>>>> Keywords: Audit Failure >>>>>> User: N/A >>>>>> Computer: DC.domain.com >>>>>> Description: >>>>>> The domain controller attempted to validate the credentials for an >>>>>> account. >>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>> Logon Account: administrator >>>>>> Source Workstation: ERPSERVER >>>>>> Error Code: 0xc000006a >>>>>> ------------------------------------------------------------ >>>>>> Log Name: Security >>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>> Date: 10/26/2009 8:28:49 AM >>>>>> Event ID: 4776 >>>>>> Task Category: Credential Validation >>>>>> Level: Information >>>>>> Keywords: Audit Failure >>>>>> User: N/A >>>>>> Computer: DC.domain.com >>>>>> Description: >>>>>> The domain controller attempted to validate the credentials for an >>>>>> account. >>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>> Logon Account: administrator >>>>>> Source Workstation: SYTEUTIL >>>>>> Error Code: 0xc000006a >>>>>> ------------------------------------------------------------ >>>>>> Log Name: Security >>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>> Date: 10/26/2009 8:27:01 AM >>>>>> Event ID: 4769 >>>>>> Task Category: Kerberos Service Ticket Operations >>>>>> Level: Information >>>>>> Keywords: Audit Failure >>>>>> User: N/A >>>>>> Computer: DC.domain.com >>>>>> Description: >>>>>> A Kerberos service ticket was requested. >>>>>> Account Information: >>>>>> Account Name: DC$@DOMAIN.COM >>>>>> Account Domain: DOMAIN.COM >>>>>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>>>>> Service Information: >>>>>> Service Name: krbtgt/DOMAIN.COM >>>>>> Service ID: NULL SID >>>>>> Network Information: >>>>>> Client Address: ::1 >>>>>> Client Port: 0 >>>>>> Additional Information: >>>>>> Ticket Options: 0x60810010 >>>>>> Ticket Encryption Type: 0xffffffff >>>>>> Failure Code: 0xe >>>>>> Transited Services: - >>>>>> This event is generated every time access is requested to a >>>>>> resource >>>>>> such as a computer or a Windows service. The service name >>>>>> indicates >>>>>> the resource to which access was requested. >>>>>> This event can be correlated with Windows logon events by >>>>>> comparing >>>>>> the Logon GUID fields in each event. The logon event occurs on >>>>>> the >>>>>> machine that was accessed, which is often a different machine than >>>>>> the domain controller which issued the service ticket. >>>>>> Ticket options, encryption types, and failure codes are defined in >>>>>> RFC 4120. >>>>>> > > |
|
|
|
|
|||
|
|
|||
|
Zachary
Guest
Posts: n/a
|
Cross posting this to an exchange group.
"Zachary" <> wrote in message news:... >I found this error. When i look at PID 4968 it is mad.exe which points to >the MSExchangeSA service. I looked in the services MMC and that service is >set to log on as Local System. Why would it be trying to use the domain >admin account? > > Event Type: Failure Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 529 > Date: 10/26/2009 > Time: 11:02:01 AM > User: NT AUTHORITY\SYSTEM > Computer: EXCHANGE > Description: > Logon Failure: > Reason: Unknown user name or bad password > User Name: Administrator > Domain: DOMAIN > Logon Type: 7 > Logon Process: Advapi > Authentication Package: Negotiate > Workstation Name: EXCHANGE > Caller User Name: EXCHANGE$ > Caller Domain: DOMAIN > Caller Logon ID: (0x0,0x3E7) > Caller Process ID: 4968 > Transited Services: - > Source Network Address: - > Source Port: - > > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > > "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message > news:. com... >> Hello Zachary, >> >> So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed >> in the event viewer entries? >> >> Also listed "0xc000006a" is bad password. >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >> >>> Ok, with that being the case, is there more detailed auditing i can >>> turn on >>> to find out what service or app is attempting to make these >>> authentications? >>> When i look in the services mmc i don't see any services using the >>> administrator account for validation and the only in house app being >>> used is >>> our intranet site and that is clean. >>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>> news:. com... >>>> Hello Zachary, >>>> >>>> The domain administrator will automatically unlock, after being >>>> locked out >>>> >>>> as soon as the correct password is used. >>>> >>>> http://blogs.dirteam.com/blogs/jorge.../The-Default-d >>>> omain-administrator-account-is-locked_21003F00_.aspx >>>> >>>> Best regards >>>> >>>> Meinolf Weber >>>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>>> confers no rights. >>>> ** Please do NOT email, only reply to Newsgroups >>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>> If that is the case, shouldn't the domain account be locked out? We >>>>> have a lockout policy and if a service or app attempts to validate >>>>> credentials that may time unsuccessfully it should lock the account >>>>> out. >>>>> >>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>>>> news:. com... >>>>> >>>>>> Hello Zachary, >>>>>> >>>>>> Seems that there are still some services/applications running that >>>>>> need the password change. See also: >>>>>> http://chicagotech.net/netforums/viewtopic.php?t=4853 >>>>>> >>>>>> Best regards >>>>>> >>>>>> Meinolf Weber >>>>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>>>> and >>>>>> confers no rights. >>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>> Hi everyone, >>>>>>> >>>>>>> Recently I have performed a password change on the default domain >>>>>>> administrator account. Before the change was made last Friday I >>>>>>> made sure to find all services and scheduled tasks in our network >>>>>>> that were using the domain admin account and changed them to use >>>>>>> their own service account. After the change all system >>>>>>> functionality has been restored. (I.E. Exchange, Blackberry, our >>>>>>> ERP system, everything is working) On top of that, the domain >>>>>>> admin account isn't getting locked out. That should mean that >>>>>>> there isn't anything with a stored password attempting to use the >>>>>>> old password. With all that said, however, I am still receiving >>>>>>> security failures in the event viewer on our primary DC. The >>>>>>> failures are below. Any help understanding these on these would >>>>>>> be appreciated. >>>>>>> >>>>>>> FYI - In doing research on the 4771 events I have found that the >>>>>>> failure code 0x18 usually means a bad password. What I don't >>>>>>> understand is that the two IP addresses listed with those events >>>>>>> are our backup DCs. >>>>>>> >>>>>>> ------------------------------------------------------------ >>>>>>> >>>>>>> Log Name: Security >>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>> Date: 10/26/2009 8:32:08 AM >>>>>>> Event ID: 4771 >>>>>>> Task Category: Kerberos Authentication Service >>>>>>> Level: Information >>>>>>> Keywords: Audit Failure >>>>>>> User: N/A >>>>>>> Computer: DC.domain.com >>>>>>> Description: >>>>>>> Kerberos pre-authentication failed. >>>>>>> Account Information: >>>>>>> Security ID: domain\Administrator >>>>>>> Account Name: Administrator >>>>>>> Service Information: >>>>>>> Service Name: krbtgt/domain >>>>>>> Network Information: >>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>> Client Port: 4240 >>>>>>> Additional Information: >>>>>>> Ticket Options: 0x40810010 >>>>>>> Failure Code: 0x18 >>>>>>> Pre-Authentication Type: 2 >>>>>>> Certificate Information: >>>>>>> Certificate Issuer Name: >>>>>>> Certificate Serial Number: >>>>>>> Certificate Thumbprint: >>>>>>> Certificate information is only provided if a certificate was used >>>>>>> for >>>>>>> pre-authentication. >>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>> defined in RFC 4120. >>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>> not be decrypted, then many fields in this event might not be >>>>>>> present. >>>>>>> >>>>>>> ------------------------------------------------------------- >>>>>>> >>>>>>> Log Name: Security >>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>> Date: 10/26/2009 8:32:07 AM >>>>>>> Event ID: 4771 >>>>>>> Task Category: Kerberos Authentication Service >>>>>>> Level: Information >>>>>>> Keywords: Audit Failure >>>>>>> User: N/A >>>>>>> Computer: DC.domain.com >>>>>>> Description: >>>>>>> Kerberos pre-authentication failed. >>>>>>> Account Information: >>>>>>> Security ID: DOMAIN\Administrator >>>>>>> Account Name: Administrator >>>>>>> Service Information: >>>>>>> Service Name: krbtgt/DOMAIN >>>>>>> Network Information: >>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>> Client Port: 4238 >>>>>>> Additional Information: >>>>>>> Ticket Options: 0x40810010 >>>>>>> Failure Code: 0x18 >>>>>>> Pre-Authentication Type: 2 >>>>>>> Certificate Information: >>>>>>> Certificate Issuer Name: >>>>>>> Certificate Serial Number: >>>>>>> Certificate Thumbprint: >>>>>>> Certificate information is only provided if a certificate was used >>>>>>> for >>>>>>> pre-authentication. >>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>> defined in RFC 4120. >>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>> not be decrypted, then many fields in this event might not be >>>>>>> present. >>>>>>> >>>>>>> ------------------------------------------------------------ >>>>>>> >>>>>>> Log Name: Security >>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>> Date: 10/26/2009 8:32:01 AM >>>>>>> Event ID: 4771 >>>>>>> Task Category: Kerberos Authentication Service >>>>>>> Level: Information >>>>>>> Keywords: Audit Failure >>>>>>> User: N/A >>>>>>> Computer: DC.domain.com >>>>>>> Description: >>>>>>> Kerberos pre-authentication failed. >>>>>>> Account Information: >>>>>>> Security ID: DOMAIN\Administrator >>>>>>> Account Name: Administrator >>>>>>> Service Information: >>>>>>> Service Name: krbtgt/DOMAIN >>>>>>> Network Information: >>>>>>> Client Address: ::ffff:10.0.1.249 >>>>>>> Client Port: 21106 >>>>>>> Additional Information: >>>>>>> Ticket Options: 0x40810010 >>>>>>> Failure Code: 0x18 >>>>>>> Pre-Authentication Type: 2 >>>>>>> Certificate Information: >>>>>>> Certificate Issuer Name: >>>>>>> Certificate Serial Number: >>>>>>> Certificate Thumbprint: >>>>>>> Certificate information is only provided if a certificate was used >>>>>>> for >>>>>>> pre-authentication. >>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>> defined in RFC 4120. >>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>> not be decrypted, then many fields in this event might not be >>>>>>> present. >>>>>>> ------------------------------------------------------------ >>>>>>> >>>>>>> Log Name: Security >>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>> Date: 10/26/2009 8:31:31 AM >>>>>>> Event ID: 4776 >>>>>>> Task Category: Credential Validation >>>>>>> Level: Information >>>>>>> Keywords: Audit Failure >>>>>>> User: N/A >>>>>>> Computer: DC.domain.com >>>>>>> Description: >>>>>>> The domain controller attempted to validate the credentials for an >>>>>>> account. >>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>> Logon Account: Administrator >>>>>>> Source Workstation: EXCHANGESERVER >>>>>>> Error Code: 0xc000006a >>>>>>> ------------------------------------------------------------- >>>>>>> Log Name: Security >>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>> Event ID: 4776 >>>>>>> Task Category: Credential Validation >>>>>>> Level: Information >>>>>>> Keywords: Audit Failure >>>>>>> User: N/A >>>>>>> Computer: DC.domain.com >>>>>>> Description: >>>>>>> The domain controller attempted to validate the credentials for an >>>>>>> account. >>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>> Logon Account: administrator >>>>>>> Source Workstation: ERPSERVER >>>>>>> Error Code: 0xc000006a >>>>>>> ------------------------------------------------------------ >>>>>>> Log Name: Security >>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>> Event ID: 4776 >>>>>>> Task Category: Credential Validation >>>>>>> Level: Information >>>>>>> Keywords: Audit Failure >>>>>>> User: N/A >>>>>>> Computer: DC.domain.com >>>>>>> Description: >>>>>>> The domain controller attempted to validate the credentials for an >>>>>>> account. >>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>> Logon Account: administrator >>>>>>> Source Workstation: SYTEUTIL >>>>>>> Error Code: 0xc000006a >>>>>>> ------------------------------------------------------------ >>>>>>> Log Name: Security >>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>> Date: 10/26/2009 8:27:01 AM >>>>>>> Event ID: 4769 >>>>>>> Task Category: Kerberos Service Ticket Operations >>>>>>> Level: Information >>>>>>> Keywords: Audit Failure >>>>>>> User: N/A >>>>>>> Computer: DC.domain.com >>>>>>> Description: >>>>>>> A Kerberos service ticket was requested. >>>>>>> Account Information: >>>>>>> Account Name: DC$@DOMAIN.COM >>>>>>> Account Domain: DOMAIN.COM >>>>>>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>>>>>> Service Information: >>>>>>> Service Name: krbtgt/DOMAIN.COM >>>>>>> Service ID: NULL SID >>>>>>> Network Information: >>>>>>> Client Address: ::1 >>>>>>> Client Port: 0 >>>>>>> Additional Information: >>>>>>> Ticket Options: 0x60810010 >>>>>>> Ticket Encryption Type: 0xffffffff >>>>>>> Failure Code: 0xe >>>>>>> Transited Services: - >>>>>>> This event is generated every time access is requested to a >>>>>>> resource >>>>>>> such as a computer or a Windows service. The service name >>>>>>> indicates >>>>>>> the resource to which access was requested. >>>>>>> This event can be correlated with Windows logon events by >>>>>>> comparing >>>>>>> the Logon GUID fields in each event. The logon event occurs on >>>>>>> the >>>>>>> machine that was accessed, which is often a different machine than >>>>>>> the domain controller which issued the service ticket. >>>>>>> Ticket options, encryption types, and failure codes are defined in >>>>>>> RFC 4120. >>>>>>> >> >> > > |
|
|
|
|
|||
|
|
|||
|
Zachary
Guest
Posts: n/a
|
Additional references i have found. These describe my situation also but
they have no solution. http://www.eggheadcafe.com/software/...king-doma.aspx http://antionline.com/archive/index.php/t-272867.html "Zachary" <> wrote in message news:eJ$... > Cross posting this to an exchange group. > > "Zachary" <> wrote in message > news:... >>I found this error. When i look at PID 4968 it is mad.exe which points to >>the MSExchangeSA service. I looked in the services MMC and that service >>is set to log on as Local System. Why would it be trying to use the >>domain admin account? >> >> Event Type: Failure Audit >> Event Source: Security >> Event Category: Logon/Logoff >> Event ID: 529 >> Date: 10/26/2009 >> Time: 11:02:01 AM >> User: NT AUTHORITY\SYSTEM >> Computer: EXCHANGE >> Description: >> Logon Failure: >> Reason: Unknown user name or bad password >> User Name: Administrator >> Domain: DOMAIN >> Logon Type: 7 >> Logon Process: Advapi >> Authentication Package: Negotiate >> Workstation Name: EXCHANGE >> Caller User Name: EXCHANGE$ >> Caller Domain: DOMAIN >> Caller Logon ID: (0x0,0x3E7) >> Caller Process ID: 4968 >> Transited Services: - >> Source Network Address: - >> Source Port: - >> >> >> For more information, see Help and Support Center at >> http://go.microsoft.com/fwlink/events.asp. >> >> >> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >> news:. com... >>> Hello Zachary, >>> >>> So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed >>> in the event viewer entries? >>> >>> Also listed "0xc000006a" is bad password. >>> >>> Best regards >>> >>> Meinolf Weber >>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>> confers no rights. >>> ** Please do NOT email, only reply to Newsgroups >>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>> >>>> Ok, with that being the case, is there more detailed auditing i can >>>> turn on >>>> to find out what service or app is attempting to make these >>>> authentications? >>>> When i look in the services mmc i don't see any services using the >>>> administrator account for validation and the only in house app being >>>> used is >>>> our intranet site and that is clean. >>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>>> news:. com... >>>>> Hello Zachary, >>>>> >>>>> The domain administrator will automatically unlock, after being >>>>> locked out >>>>> >>>>> as soon as the correct password is used. >>>>> >>>>> http://blogs.dirteam.com/blogs/jorge.../The-Default-d >>>>> omain-administrator-account-is-locked_21003F00_.aspx >>>>> >>>>> Best regards >>>>> >>>>> Meinolf Weber >>>>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>>>> confers no rights. >>>>> ** Please do NOT email, only reply to Newsgroups >>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>> If that is the case, shouldn't the domain account be locked out? We >>>>>> have a lockout policy and if a service or app attempts to validate >>>>>> credentials that may time unsuccessfully it should lock the account >>>>>> out. >>>>>> >>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>>>>> news:. com... >>>>>> >>>>>>> Hello Zachary, >>>>>>> >>>>>>> Seems that there are still some services/applications running that >>>>>>> need the password change. See also: >>>>>>> http://chicagotech.net/netforums/viewtopic.php?t=4853 >>>>>>> >>>>>>> Best regards >>>>>>> >>>>>>> Meinolf Weber >>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>>>>> and >>>>>>> confers no rights. >>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>> Hi everyone, >>>>>>>> >>>>>>>> Recently I have performed a password change on the default domain >>>>>>>> administrator account. Before the change was made last Friday I >>>>>>>> made sure to find all services and scheduled tasks in our network >>>>>>>> that were using the domain admin account and changed them to use >>>>>>>> their own service account. After the change all system >>>>>>>> functionality has been restored. (I.E. Exchange, Blackberry, our >>>>>>>> ERP system, everything is working) On top of that, the domain >>>>>>>> admin account isn't getting locked out. That should mean that >>>>>>>> there isn't anything with a stored password attempting to use the >>>>>>>> old password. With all that said, however, I am still receiving >>>>>>>> security failures in the event viewer on our primary DC. The >>>>>>>> failures are below. Any help understanding these on these would >>>>>>>> be appreciated. >>>>>>>> >>>>>>>> FYI - In doing research on the 4771 events I have found that the >>>>>>>> failure code 0x18 usually means a bad password. What I don't >>>>>>>> understand is that the two IP addresses listed with those events >>>>>>>> are our backup DCs. >>>>>>>> >>>>>>>> ------------------------------------------------------------ >>>>>>>> >>>>>>>> Log Name: Security >>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>> Date: 10/26/2009 8:32:08 AM >>>>>>>> Event ID: 4771 >>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>> Level: Information >>>>>>>> Keywords: Audit Failure >>>>>>>> User: N/A >>>>>>>> Computer: DC.domain.com >>>>>>>> Description: >>>>>>>> Kerberos pre-authentication failed. >>>>>>>> Account Information: >>>>>>>> Security ID: domain\Administrator >>>>>>>> Account Name: Administrator >>>>>>>> Service Information: >>>>>>>> Service Name: krbtgt/domain >>>>>>>> Network Information: >>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>> Client Port: 4240 >>>>>>>> Additional Information: >>>>>>>> Ticket Options: 0x40810010 >>>>>>>> Failure Code: 0x18 >>>>>>>> Pre-Authentication Type: 2 >>>>>>>> Certificate Information: >>>>>>>> Certificate Issuer Name: >>>>>>>> Certificate Serial Number: >>>>>>>> Certificate Thumbprint: >>>>>>>> Certificate information is only provided if a certificate was used >>>>>>>> for >>>>>>>> pre-authentication. >>>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>>> defined in RFC 4120. >>>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>>> not be decrypted, then many fields in this event might not be >>>>>>>> present. >>>>>>>> >>>>>>>> ------------------------------------------------------------- >>>>>>>> >>>>>>>> Log Name: Security >>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>> Date: 10/26/2009 8:32:07 AM >>>>>>>> Event ID: 4771 >>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>> Level: Information >>>>>>>> Keywords: Audit Failure >>>>>>>> User: N/A >>>>>>>> Computer: DC.domain.com >>>>>>>> Description: >>>>>>>> Kerberos pre-authentication failed. >>>>>>>> Account Information: >>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>> Account Name: Administrator >>>>>>>> Service Information: >>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>> Network Information: >>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>> Client Port: 4238 >>>>>>>> Additional Information: >>>>>>>> Ticket Options: 0x40810010 >>>>>>>> Failure Code: 0x18 >>>>>>>> Pre-Authentication Type: 2 >>>>>>>> Certificate Information: >>>>>>>> Certificate Issuer Name: >>>>>>>> Certificate Serial Number: >>>>>>>> Certificate Thumbprint: >>>>>>>> Certificate information is only provided if a certificate was used >>>>>>>> for >>>>>>>> pre-authentication. >>>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>>> defined in RFC 4120. >>>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>>> not be decrypted, then many fields in this event might not be >>>>>>>> present. >>>>>>>> >>>>>>>> ------------------------------------------------------------ >>>>>>>> >>>>>>>> Log Name: Security >>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>> Date: 10/26/2009 8:32:01 AM >>>>>>>> Event ID: 4771 >>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>> Level: Information >>>>>>>> Keywords: Audit Failure >>>>>>>> User: N/A >>>>>>>> Computer: DC.domain.com >>>>>>>> Description: >>>>>>>> Kerberos pre-authentication failed. >>>>>>>> Account Information: >>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>> Account Name: Administrator >>>>>>>> Service Information: >>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>> Network Information: >>>>>>>> Client Address: ::ffff:10.0.1.249 >>>>>>>> Client Port: 21106 >>>>>>>> Additional Information: >>>>>>>> Ticket Options: 0x40810010 >>>>>>>> Failure Code: 0x18 >>>>>>>> Pre-Authentication Type: 2 >>>>>>>> Certificate Information: >>>>>>>> Certificate Issuer Name: >>>>>>>> Certificate Serial Number: >>>>>>>> Certificate Thumbprint: >>>>>>>> Certificate information is only provided if a certificate was used >>>>>>>> for >>>>>>>> pre-authentication. >>>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>>> defined in RFC 4120. >>>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>>> not be decrypted, then many fields in this event might not be >>>>>>>> present. >>>>>>>> ------------------------------------------------------------ >>>>>>>> >>>>>>>> Log Name: Security >>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>> Date: 10/26/2009 8:31:31 AM >>>>>>>> Event ID: 4776 >>>>>>>> Task Category: Credential Validation >>>>>>>> Level: Information >>>>>>>> Keywords: Audit Failure >>>>>>>> User: N/A >>>>>>>> Computer: DC.domain.com >>>>>>>> Description: >>>>>>>> The domain controller attempted to validate the credentials for an >>>>>>>> account. >>>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>> Logon Account: Administrator >>>>>>>> Source Workstation: EXCHANGESERVER >>>>>>>> Error Code: 0xc000006a >>>>>>>> ------------------------------------------------------------- >>>>>>>> Log Name: Security >>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>> Event ID: 4776 >>>>>>>> Task Category: Credential Validation >>>>>>>> Level: Information >>>>>>>> Keywords: Audit Failure >>>>>>>> User: N/A >>>>>>>> Computer: DC.domain.com >>>>>>>> Description: >>>>>>>> The domain controller attempted to validate the credentials for an >>>>>>>> account. >>>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>> Logon Account: administrator >>>>>>>> Source Workstation: ERPSERVER >>>>>>>> Error Code: 0xc000006a >>>>>>>> ------------------------------------------------------------ >>>>>>>> Log Name: Security >>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>> Event ID: 4776 >>>>>>>> Task Category: Credential Validation >>>>>>>> Level: Information >>>>>>>> Keywords: Audit Failure >>>>>>>> User: N/A >>>>>>>> Computer: DC.domain.com >>>>>>>> Description: >>>>>>>> The domain controller attempted to validate the credentials for an >>>>>>>> account. >>>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>> Logon Account: administrator >>>>>>>> Source Workstation: SYTEUTIL >>>>>>>> Error Code: 0xc000006a >>>>>>>> ------------------------------------------------------------ >>>>>>>> Log Name: Security >>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>> Date: 10/26/2009 8:27:01 AM >>>>>>>> Event ID: 4769 >>>>>>>> Task Category: Kerberos Service Ticket Operations >>>>>>>> Level: Information >>>>>>>> Keywords: Audit Failure >>>>>>>> User: N/A >>>>>>>> Computer: DC.domain.com >>>>>>>> Description: >>>>>>>> A Kerberos service ticket was requested. >>>>>>>> Account Information: >>>>>>>> Account Name: DC$@DOMAIN.COM >>>>>>>> Account Domain: DOMAIN.COM >>>>>>>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>>>>>>> Service Information: >>>>>>>> Service Name: krbtgt/DOMAIN.COM >>>>>>>> Service ID: NULL SID >>>>>>>> Network Information: >>>>>>>> Client Address: ::1 >>>>>>>> Client Port: 0 >>>>>>>> Additional Information: >>>>>>>> Ticket Options: 0x60810010 >>>>>>>> Ticket Encryption Type: 0xffffffff >>>>>>>> Failure Code: 0xe >>>>>>>> Transited Services: - >>>>>>>> This event is generated every time access is requested to a >>>>>>>> resource >>>>>>>> such as a computer or a Windows service. The service name >>>>>>>> indicates >>>>>>>> the resource to which access was requested. >>>>>>>> This event can be correlated with Windows logon events by >>>>>>>> comparing >>>>>>>> the Logon GUID fields in each event. The logon event occurs on >>>>>>>> the >>>>>>>> machine that was accessed, which is often a different machine than >>>>>>>> the domain controller which issued the service ticket. >>>>>>>> Ticket options, encryption types, and failure codes are defined in >>>>>>>> RFC 4120. >>>>>>>> >>> >>> >> >> > > |
|
|
|
|
|||
|
|
|||
|
Zachary
Guest
Posts: n/a
|
Found one of the culprits. The Exchange service account for legacy access
was set to the domain admin. This is found in the system manager>Administrative Groups and then right click your administrative group and on the general tab you will see this setting. I am still recieving this error yet from the exchange server: Any ideas? Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 10/26/2009 Time: 12:11:34 PM User: NT AUTHORITY\SYSTEM Computer: AGRAEXCH Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: AGRA Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: AGRAEXCH Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. "Zachary" <> wrote in message news:... > Additional references i have found. These describe my situation also but > they have no solution. > http://www.eggheadcafe.com/software/...king-doma.aspx > http://antionline.com/archive/index.php/t-272867.html > > "Zachary" <> wrote in message > news:eJ$... >> Cross posting this to an exchange group. >> >> "Zachary" <> wrote in message >> news:... >>>I found this error. When i look at PID 4968 it is mad.exe which points >>>to the MSExchangeSA service. I looked in the services MMC and that >>>service is set to log on as Local System. Why would it be trying to use >>>the domain admin account? >>> >>> Event Type: Failure Audit >>> Event Source: Security >>> Event Category: Logon/Logoff >>> Event ID: 529 >>> Date: 10/26/2009 >>> Time: 11:02:01 AM >>> User: NT AUTHORITY\SYSTEM >>> Computer: EXCHANGE >>> Description: >>> Logon Failure: >>> Reason: Unknown user name or bad password >>> User Name: Administrator >>> Domain: DOMAIN >>> Logon Type: 7 >>> Logon Process: Advapi >>> Authentication Package: Negotiate >>> Workstation Name: EXCHANGE >>> Caller User Name: EXCHANGE$ >>> Caller Domain: DOMAIN >>> Caller Logon ID: (0x0,0x3E7) >>> Caller Process ID: 4968 >>> Transited Services: - >>> Source Network Address: - >>> Source Port: - >>> >>> >>> For more information, see Help and Support Center at >>> http://go.microsoft.com/fwlink/events.asp. >>> >>> >>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>> news:. com... >>>> Hello Zachary, >>>> >>>> So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as >>>> listed in the event viewer entries? >>>> >>>> Also listed "0xc000006a" is bad password. >>>> >>>> Best regards >>>> >>>> Meinolf Weber >>>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>>> confers no rights. >>>> ** Please do NOT email, only reply to Newsgroups >>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>> >>>>> Ok, with that being the case, is there more detailed auditing i can >>>>> turn on >>>>> to find out what service or app is attempting to make these >>>>> authentications? >>>>> When i look in the services mmc i don't see any services using the >>>>> administrator account for validation and the only in house app being >>>>> used is >>>>> our intranet site and that is clean. >>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>>>> news:. com... >>>>>> Hello Zachary, >>>>>> >>>>>> The domain administrator will automatically unlock, after being >>>>>> locked out >>>>>> >>>>>> as soon as the correct password is used. >>>>>> >>>>>> http://blogs.dirteam.com/blogs/jorge.../The-Default-d >>>>>> omain-administrator-account-is-locked_21003F00_.aspx >>>>>> >>>>>> Best regards >>>>>> >>>>>> Meinolf Weber >>>>>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>>>>> confers no rights. >>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>> If that is the case, shouldn't the domain account be locked out? We >>>>>>> have a lockout policy and if a service or app attempts to validate >>>>>>> credentials that may time unsuccessfully it should lock the account >>>>>>> out. >>>>>>> >>>>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message >>>>>>> news:. com... >>>>>>> >>>>>>>> Hello Zachary, >>>>>>>> >>>>>>>> Seems that there are still some services/applications running that >>>>>>>> need the password change. See also: >>>>>>>> http://chicagotech.net/netforums/viewtopic.php?t=4853 >>>>>>>> >>>>>>>> Best regards >>>>>>>> >>>>>>>> Meinolf Weber >>>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>>>>>> and >>>>>>>> confers no rights. >>>>>>>> ** Please do NOT email, only reply to Newsgroups >>>>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>>>>>> Hi everyone, >>>>>>>>> >>>>>>>>> Recently I have performed a password change on the default domain >>>>>>>>> administrator account. Before the change was made last Friday I >>>>>>>>> made sure to find all services and scheduled tasks in our network >>>>>>>>> that were using the domain admin account and changed them to use >>>>>>>>> their own service account. After the change all system >>>>>>>>> functionality has been restored. (I.E. Exchange, Blackberry, our >>>>>>>>> ERP system, everything is working) On top of that, the domain >>>>>>>>> admin account isn't getting locked out. That should mean that >>>>>>>>> there isn't anything with a stored password attempting to use the >>>>>>>>> old password. With all that said, however, I am still receiving >>>>>>>>> security failures in the event viewer on our primary DC. The >>>>>>>>> failures are below. Any help understanding these on these would >>>>>>>>> be appreciated. >>>>>>>>> >>>>>>>>> FYI - In doing research on the 4771 events I have found that the >>>>>>>>> failure code 0x18 usually means a bad password. What I don't >>>>>>>>> understand is that the two IP addresses listed with those events >>>>>>>>> are our backup DCs. >>>>>>>>> >>>>>>>>> ------------------------------------------------------------ >>>>>>>>> >>>>>>>>> Log Name: Security >>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>> Date: 10/26/2009 8:32:08 AM >>>>>>>>> Event ID: 4771 >>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>> Level: Information >>>>>>>>> Keywords: Audit Failure >>>>>>>>> User: N/A >>>>>>>>> Computer: DC.domain.com >>>>>>>>> Description: >>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>> Account Information: >>>>>>>>> Security ID: domain\Administrator >>>>>>>>> Account Name: Administrator >>>>>>>>> Service Information: >>>>>>>>> Service Name: krbtgt/domain >>>>>>>>> Network Information: >>>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>>> Client Port: 4240 >>>>>>>>> Additional Information: >>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>> Failure Code: 0x18 >>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>> Certificate Information: >>>>>>>>> Certificate Issuer Name: >>>>>>>>> Certificate Serial Number: >>>>>>>>> Certificate Thumbprint: >>>>>>>>> Certificate information is only provided if a certificate was used >>>>>>>>> for >>>>>>>>> pre-authentication. >>>>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>>>> defined in RFC 4120. >>>>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>>>> not be decrypted, then many fields in this event might not be >>>>>>>>> present. >>>>>>>>> >>>>>>>>> ------------------------------------------------------------- >>>>>>>>> >>>>>>>>> Log Name: Security >>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>> Date: 10/26/2009 8:32:07 AM >>>>>>>>> Event ID: 4771 >>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>> Level: Information >>>>>>>>> Keywords: Audit Failure >>>>>>>>> User: N/A >>>>>>>>> Computer: DC.domain.com >>>>>>>>> Description: >>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>> Account Information: >>>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>>> Account Name: Administrator >>>>>>>>> Service Information: >>>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>>> Network Information: >>>>>>>>> Client Address: ::ffff:10.0.1.254 >>>>>>>>> Client Port: 4238 >>>>>>>>> Additional Information: >>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>> Failure Code: 0x18 >>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>> Certificate Information: >>>>>>>>> Certificate Issuer Name: >>>>>>>>> Certificate Serial Number: >>>>>>>>> Certificate Thumbprint: >>>>>>>>> Certificate information is only provided if a certificate was used >>>>>>>>> for >>>>>>>>> pre-authentication. >>>>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>>>> defined in RFC 4120. >>>>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>>>> not be decrypted, then many fields in this event might not be >>>>>>>>> present. >>>>>>>>> >>>>>>>>> ------------------------------------------------------------ >>>>>>>>> >>>>>>>>> Log Name: Security >>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>> Date: 10/26/2009 8:32:01 AM >>>>>>>>> Event ID: 4771 >>>>>>>>> Task Category: Kerberos Authentication Service >>>>>>>>> Level: Information >>>>>>>>> Keywords: Audit Failure >>>>>>>>> User: N/A >>>>>>>>> Computer: DC.domain.com >>>>>>>>> Description: >>>>>>>>> Kerberos pre-authentication failed. >>>>>>>>> Account Information: >>>>>>>>> Security ID: DOMAIN\Administrator >>>>>>>>> Account Name: Administrator >>>>>>>>> Service Information: >>>>>>>>> Service Name: krbtgt/DOMAIN >>>>>>>>> Network Information: >>>>>>>>> Client Address: ::ffff:10.0.1.249 >>>>>>>>> Client Port: 21106 >>>>>>>>> Additional Information: >>>>>>>>> Ticket Options: 0x40810010 >>>>>>>>> Failure Code: 0x18 >>>>>>>>> Pre-Authentication Type: 2 >>>>>>>>> Certificate Information: >>>>>>>>> Certificate Issuer Name: >>>>>>>>> Certificate Serial Number: >>>>>>>>> Certificate Thumbprint: >>>>>>>>> Certificate information is only provided if a certificate was used >>>>>>>>> for >>>>>>>>> pre-authentication. >>>>>>>>> Pre-authentication types, ticket options and failure codes are >>>>>>>>> defined in RFC 4120. >>>>>>>>> If the ticket was malformed or damaged during transit and could >>>>>>>>> not be decrypted, then many fields in this event might not be >>>>>>>>> present. >>>>>>>>> ------------------------------------------------------------ >>>>>>>>> >>>>>>>>> Log Name: Security >>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>> Date: 10/26/2009 8:31:31 AM >>>>>>>>> Event ID: 4776 >>>>>>>>> Task Category: Credential Validation >>>>>>>>> Level: Information >>>>>>>>> Keywords: Audit Failure >>>>>>>>> User: N/A >>>>>>>>> Computer: DC.domain.com >>>>>>>>> Description: >>>>>>>>> The domain controller attempted to validate the credentials for an >>>>>>>>> account. >>>>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>> Logon Account: Administrator >>>>>>>>> Source Workstation: EXCHANGESERVER >>>>>>>>> Error Code: 0xc000006a >>>>>>>>> ------------------------------------------------------------- >>>>>>>>> Log Name: Security >>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>>> Event ID: 4776 >>>>>>>>> Task Category: Credential Validation >>>>>>>>> Level: Information >>>>>>>>> Keywords: Audit Failure >>>>>>>>> User: N/A >>>>>>>>> Computer: DC.domain.com >>>>>>>>> Description: >>>>>>>>> The domain controller attempted to validate the credentials for an >>>>>>>>> account. >>>>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>> Logon Account: administrator >>>>>>>>> Source Workstation: ERPSERVER >>>>>>>>> Error Code: 0xc000006a >>>>>>>>> ------------------------------------------------------------ >>>>>>>>> Log Name: Security >>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>> Date: 10/26/2009 8:28:49 AM >>>>>>>>> Event ID: 4776 >>>>>>>>> Task Category: Credential Validation >>>>>>>>> Level: Information >>>>>>>>> Keywords: Audit Failure >>>>>>>>> User: N/A >>>>>>>>> Computer: DC.domain.com >>>>>>>>> Description: >>>>>>>>> The domain controller attempted to validate the credentials for an >>>>>>>>> account. >>>>>>>>> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 >>>>>>>>> Logon Account: administrator >>>>>>>>> Source Workstation: SYTEUTIL >>>>>>>>> Error Code: 0xc000006a >>>>>>>>> ------------------------------------------------------------ >>>>>>>>> Log Name: Security >>>>>>>>> Source: Microsoft-Windows-Security-Auditing >>>>>>>>> Date: 10/26/2009 8:27:01 AM >>>>>>>>> Event ID: 4769 >>>>>>>>> Task Category: Kerberos Service Ticket Operations >>>>>>>>> Level: Information >>>>>>>>> Keywords: Audit Failure >>>>>>>>> User: N/A >>>>>>>>> Computer: DC.domain.com >>>>>>>>> Description: >>>>>>>>> A Kerberos service ticket was requested. >>>>>>>>> Account Information: >>>>>>>>> Account Name: DC$@DOMAIN.COM >>>>>>>>> Account Domain: DOMAIN.COM >>>>>>>>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>>>>>>>> Service Information: >>>>>>>>> Service Name: krbtgt/DOMAIN.COM >>>>>>>>> Service ID: NULL SID >>>>>>>>> Network Information: >>>>>>>>> Client Address: ::1 >>>>>>>>> Client Port: 0 >>>>>>>>> Additional Information: >>>>>>>>> Ticket Options: 0x60810010 >>>>>>>>> Ticket Encryption Type: 0xffffffff >>>>>>>>> Failure Code: 0xe >>>>>>>>> Transited Services: - >>>>>>>>> This event is generated every time access is requested to a >>>>>>>>> resource >>>>>>>>> such as a computer or a Windows service. The service name >>>>>>>>> indicates >>>>>>>>> the resource to which access was requested. >>>>>>>>> This event can be correlated with Windows logon events by >>>>>>>>> comparing >>>>>>>>> the Logon GUID fields in each event. The logon event occurs on >>>>>>>>> the >>>>>>>>> machine that was accessed, which is often a different machine than >>>>>>>>> the domain controller which issued the service ticket. >>>>>>>>> Ticket options, encryption types, and failure codes are defined in >>>>>>>>> RFC 4120. >>>>>>>>> >>>> >>>> >>> >>> >> >> > > |
|
|
|
|
|||
|
|
|||
|
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| User Accounts can't be set to Administrator | Steve A. | Windows Vista Administration | 10 | 03-09-2008 07:35 AM |
| Change Vista Password - Discussion | Ian | Article and Tip Comments | 0 | 02-29-2008 03:11 PM |
| Vista machine cannot change domain password | admin | Windows Vista Administration | 1 | 01-24-2008 01:36 PM |
| Cannot change AD password using Vista, XP fine. | Kevin M | Windows Vista Administration | 3 | 07-26-2007 04:02 PM |
| Unauthorized password change | VistaEnhanced | Windows Vista Administration | 0 | 05-04-2007 05:43 AM |
Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc. |
Linear Mode
