Security audit failures - any idea why?

Discussion in 'Windows Small Business Server' started by Eugene Tan, Apr 5, 2004.

  1. Eugene Tan

    Eugene Tan Guest

    hi,

    Some of my customers with SBS2k have these security audit failures in the
    EventLog. Many have audit success msgs, but some have failures as per
    Log below. The setups are similar, with a mix of Win2k and WinXP with
    most PCs being win2k.

    I've applied that patch for winXP in a SBS2k network, but it didn't make
    any diff in these msgs. However, the patch did appear to alleviate the
    symptom of taking 10 secs or longer to save a simple Word doc file.

    On this SBS2k concerned, I've disabled Sign comms when possible/always
    both, but secure comms part of Security policies is unchanged, and this was
    done in Domain and Domain controller policies.

    TIA,
    Eugene Tan
    -
    Log extract from 1st Apr onwards follows:
    -
    Event Type: Success Audit
    Event Source: Security
    Event Category: Policy Change
    Event ID: 617
    Date: 1/4/04
    Time: 7:53:26 AM
    User: NT AUTHORITY\SYSTEM
    Computer: SERVER
    Description:
    Kerberos Policy Changed:
    Changed By:
    User Name: SERVER$
    Domain Name: FTK
    Logon ID: (0x0,0x3E7)
    Changes made:
    ('--' means no changes, otherwise each change is shown as:
    <ParameterName>: <new value> (<old value>))
    KerLogoff: 0x764920b20062f88c (0x764920b2005af88c);
    ---
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 677
    Date: 1/4/04
    Time: 5:52:40 PM
    User: NT AUTHORITY\SYSTEM
    Computer: SERVER
    Description:
    Service Ticket Request Failed:
    User Name: SERVER$
    User Domain: FTK.LOCAL
    Service Name: krbtgt/FTK.LOCAL
    Ticket Options: 0x2
    Failure Code: 0x20
    Client Address: 127.0.0.1
    ---
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 677
    Date: 1/4/04
    Time: 6:07:15 PM
    User: NT AUTHORITY\SYSTEM
    Computer: SERVER
    Description:
    Service Ticket Request Failed:
    User Name: PC4$
    User Domain: FTK.LOCAL
    Service Name: krbtgt/FTK.LOCAL
    Ticket Options: 0x2
    Failure Code: 0x20
    Client Address: 192.168.16.121
    ---
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 677
    Date: 1/4/04
    Time: 6:07:15 PM
    User: NT AUTHORITY\SYSTEM
    Computer: SERVER
    Description:
    Service Ticket Request Failed:
    User Name: PC4$
    User Domain: FTK.LOCAL
    Service Name: krbtgt/FTK.LOCAL
    Ticket Options: 0x2
    Failure Code: 0x20
    Client Address: 192.168.16.121
    ---
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 537
    Date: 1/4/04
    Time: 6:17:58 PM
    User: NT AUTHORITY\SYSTEM
    Computer: SERVER
    Description:
    Logon Failure:
    Reason: An unexpected error occurred during logon
    User Name:
    Domain:
    Logon Type: 3
    Logon Process: Kerberos
    Authentication Package: Kerberos
    Workstation Name: -
    ---
    Event Type: Success Audit
    Event Source: Security
    Event Category: Policy Change
    Event ID: 617
    Date: 2/4/04
    Time: 8:12:00 AM
    User: NT AUTHORITY\SYSTEM
    Computer: SERVER
    Description:
    Kerberos Policy Changed:
    Changed By:
    User Name: SERVER$
    Domain Name: FTK
    Logon ID: (0x0,0x3E7)
    Changes made:
    ('--' means no changes, otherwise each change is shown as:
    <ParameterName>: <new value> (<old value>))
    KerLogoff: 0x764920b20152f88c (0x764920b20062f88c);
    ---

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 677
    Date: 2/4/04
    Time: 8:16:09 AM
    User: NT AUTHORITY\SYSTEM
    Computer: SERVER
    Description:
    Service Ticket Request Failed:
    User Name:
    User Domain:
    Service Name: krbtgt/FTK.LOCAL
    Ticket Options: 0x2
    Failure Code: 0x20
    Client Address: 192.168.16.20
    ----
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 675
    Date: 2/4/04
    Time: 9:48:05 AM
    User: NT AUTHORITY\SYSTEM
    Computer: SERVER
    Description:
    Pre-authentication failed:
    User Name: joyce
    User ID: FTK\joyce
    Service Name: krbtgt/FTK
    Pre-Authentication Type: 0x2
    Failure Code: 0x18
    Client Address: 192.168.16.10
    ---
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 675
    Date: 2/4/04
    Time: 1:56:03 PM
    User: NT AUTHORITY\SYSTEM
    Computer: SERVER
    Description:
    Pre-authentication failed:
    User Name: Tsc
    User ID: FTK\Tsc
    Service Name: krbtgt/FTK
    Pre-Authentication Type: 0x2
    Failure Code: 0x18
    Client Address: 192.168.16.229
    ---
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 675
    Date: 2/4/04
    Time: 1:56:10 PM
    User: NT AUTHORITY\SYSTEM
    Computer: SERVER
    Description:
    Pre-authentication failed:
    User Name: Tsc
    User ID: FTK\Tsc
    Service Name: krbtgt/FTK
    Pre-Authentication Type: 0x2
    Failure Code: 0x18
    Client Address: 192.168.16.229
     
    Eugene Tan, Apr 5, 2004
    #1
    1. Advertisements

  2. Eugene Tan

    Henry Craven Guest

    Henry Craven, Apr 5, 2004
    #2
    1. Advertisements

  3. Eugene Tan

    Eugene Tan Guest

    Thanks Henry,

    Thank site is very useful. I had lost the link.

    Cheers,
    Eugene Tan

    ===========================
     
    Eugene Tan, Apr 6, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.