Windows Server - Pre-authentication events logged, but not lock-out or auth failure

Asked By cmhnz

03-Nov-09 10:33 AM

Hi all,

We've discovered that we are not receiving any event ID's 529, 531, 532
or 544 on our domain controllers.  These identify username/password
failure, account expired/disabled/locked out.

Instead, we are receiving pre-authentication failure events (ID 675)
with various Failure Codes which identify what the failure relates to.
This started happening a couple of months ago but has only just come to
light, and we are unsure why.  Failed logon attempts directly to the
domain controllers are logged with the specific ID (529 etc), but are
logged as ID 675 on any other workstation/server on the domain.

To my knowledge, no changes were implemented when this started
occurring, and although it appears failed logons are getting logged as
pre-authentication failures, this is not ideal as we use GFI
EventsManager to report on failed logins and really need the events
logged as their specific ID's (529, 531 etc).

Any help greatly appreciated.

Cheers,
Chris


--
cmhnz
------------------------------------------------------------------------
cmhnz's Profile: http://forums.techarena.in/members/151326.htm
View this thread: http://forums.techarena.in/active-directory/1266595.htm

http://forums.techarena.in

Windows Server Active Directory Discussions

DNSHostName
(1)

Report
(1)

ServicePrincipalName
(1)

EventsManager
(1)

HiRead
(1)

CSci
(1)

Achiever
(1)

June
(1)

Jorge Silva replied...

03-Nov-09 11:43 AM

Hi
Read this:
http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&phase=1

--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

cmhnz replied to Jorge Silva

04-Nov-09 05:47 AM

Thanks for that page, it was interesting reading, but I could not find
anything that helped identify our problem.  One thing I forgot to
mention, which I am sure is not related, is our Security event logs on all
DC's had grown over the specified size of 65536kb and were about 250MB.
I have no idea how, so I reduced the size slightly and cleared the logs
and will see if they overwrite themselves as they are set to when they
reach the set limit.

Back to the event ID issue, this problem is affecting logon events to
all servers/workstations except our DC's.  If I attempt to logon
directly to a DC with the incorrect password, it records the correct ID
(529).  Any other machine on our domain records ID 675 with failure code
0x18.  If it was just a couple of machines then that would give me an
easier place to start, but because it is affecting all machines except
DCs it suggests to me a domain wide/DC problem.

We also do not seem to be receiving successful logon events either, ie.
no ID 528's but IDs 672 & 673 instead.

Any help appreciated.

Cheers,
Chris


--
cmhnz
------------------------------------------------------------------------
cmhnz's Profile: http://forums.techarena.in/members/151326.htm
View this thread: http://forums.techarena.in/active-directory/1266595.htm

http://forums.techarena.in

Paul Bergson [MVP-DS] replied to cmhnz

04-Nov-09 08:36 AM

I am unfamiliar with this specific issue, but I did some research and hear
are a couple of things to review:

http://support.microsoft.com/kb/328570

http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&phase=1

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

cmhnz replied to Paul Bergson [MVP-DS]

04-Nov-09 10:39 AM

Thanks for your input, but the entries missing on the first link are
populated on the workstations, eg:

dNSHostName: workstation.dhcp.domain.co.uk
servicePrincipalName: HOST/workstation.dhcp.domain.co.uk
servicePrincipalName: HOST/WORKSTATION

I have read through the second link a couple of times, but could not find
anything that helped me resolve this issue.

I will keep hunting though.

Cheers,
Chris


--
cmhnz
------------------------------------------------------------------------
cmhnz's Profile: http://forums.techarena.in/members/151326.htm
View this thread: http://forums.techarena.in/active-directory/1266595.htm

http://forums.techarena.in

Previous Discussion: Restricting the number of Logons

blocking email Windows Server

an SBS version 5.2 sp2 exchange Version: 6.5.7638.1 An automatically generated report gets created when we run a report it will not go to any of our internal email accounts xxx@yyy.com however other emails from domain @yyy.com have no issues getting through. if I have the report send it to my comcast or hotmail account the email xxx@yyy.com comes through post and Larry's input. Does the blocking reprot mail issue just occur? Has the report ever worked before? To troubleshoot this issue, at this point, I would like to provide Monitoring and Reporting". Click the "Change server status settings" option and check remove the old report and create a new one with the administrator@yourdomain.com as email recipient. 2. Please too. 3. If the issue persists that the above defined recipient still cannot receive the report email, then please follow the steps in below Message Tracking article to track all the and check whether the email has been sent to that user or not. If the report email has been sent but the recipient did not received, it should be a mail transport issue. Otherwise, if the report email has not been sent or generated, it should be a corrupted Monitoring and Report

SCCM Clients not getting updates from WSUS Server Windows Server

Reverse-ISA Antivirus: SEP Someone please help me in resolving the issue WSUS Client Diagnostic report: WSUS Client Diagnostics Tool Checking Machine State Checking for admin rights to run tool . . . . . . . . . PASS Agent * Windows Update access disabled: No 2010-02-09 10:04:59:416 1164 1478 Report * ** ** ** ** ** Report: Initializing static reporting data * ** ** ** ** ** 2010-02-09 10:04:59:417 1164 1478 Report * OS Version = 6.0.6001.1.0.65792 2010-02-09 10:04:59:417 1164 1478 Report * OS Product Type = 0x00000004 2010-02-09 10:04:59:442 1164 1478 Report * Computer Brand = Dell Inc. 2010-02-09 10:04:59:442 1164 1478 Report * Computer Model = OptiPlex 760 2010-02-09 10:04:59:444 1164 1478 Report * Bios Revision = A03 2010-02-09 10:04:59:444 1164 1478 Report * Bios Name

WSUS not working in vista Windows Server

2010-03-20 12:00:18 2010-03-20 12:30:22:525 1224 1530 Report REPORT EVENT: {9FA8FF7C-DF50-4FE3-B3DE-32515A0CCBC5} 2010-03-20 12:30:17:524+0530 1 failed to detect with error 0x80244017. 2010-03-20 12:30:22:525 1224 1530 Report REPORT EVENT: {D7B54563-5A47-4E88-83DA-EF8B19703E6E} 2010-03-20 12:30:18:902+0530 1 failed to detect with error 0x80244017. 2010-03-20 12:30:22:536 1224 1530 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8 2010-03-20 12:30:22:536 1224 1530 Report WER Report sent: 7.4.7600.226 0x80244017 00000000-0000-0000-0000-000000000000 Scan 101 Managed 2010

Clients not getting updates from WSUS Server Windows Server

41 2009-12-16 08:57:41:870 1716 b9c AU AU setting next sqm report timeout to 2009-12-16 13:57:41 2009-12-16 08:57:41:901 b9c AU AU finished delayed initialization 2009-12-16 08:57:46:826 1716 b9c Report * ** ** ** ** ** Report: Initializing static reporting data * ** ** ** ** ** 2009-12-16 08:57:46:826 1716 b9c Report * OS Version = 5.1.2600.3.0.65792 2009-12-16 08:57:46:921 1716 b9c Report * Computer Brand = Dell Inc. 2009-12-16 08:57:46:921 1716 b9c Report * Computer Model = Latitude D620 2009-12-16 08:57:46:921 1716 b9c Report * Bios Revision = A02 2009-12-16 08:57:46:921 1716 b9c Report * Bios Name = Phoenix ROM BIOS PLUS Version 1.10 A02 2009-12-16 08:57

Clients do not connect with error 0x80244017 Windows Server

1860 244 Agent * Network state: Connected 2009-11-27 13:55:17:757 1860 244 Report * ** ** ** ** ** Report: Initializing static reporting data * ** ** ** ** ** 2009-11-27 13:55:17:757 1860 244 Report * OS Version = 5.0.2195.4.0.65536 2009-11-27 13:55:17:819 1860 244 Report * Computer Brand = Hewlett-Packard 2009-11-27 13:55:17:819 1860 244 Report * Computer Model = HP Compaq dc7700 Convertible Minitower 2009-11-27 13:55:17:819 1860 244 Report * Bios Revision = 786E1 v01.10 2009-11-27 13:55:17:819 1860 244 Report * Bios Name = Default System BIOS 2009-11-27 13:55:17:819 1860 244 Report * Bios Release Date = 2007-04-13T00:00:00 2009-11-27 13:55:17:819