Re: Security audit failures - any idea why?
From: Henry Craven (IUnknown_at_d.com)
Date: 04/05/04
- Next message: dashe: "Cant Dial Out Even tohugh Within Dial Out Hours"
- Previous message: Ralf: "Re: Reinstall "Fax to Documentlibrary" Function ?"
- In reply to: Eugene Tan: "Security audit failures - any idea why?"
- Next in thread: Eugene Tan: "Re: Security audit failures - any idea why?"
- Reply: Eugene Tan: "Re: Security audit failures - any idea why?"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 5 Apr 2004 05:38:22 -0700
Try Event ID. ( well worth subscribibng to. )
http://www.eventid.net/display.asp?eventid=617&source=
---
Henry Craven
"Eugene Tan" <insights-[dropthis]@post1.com> wrote in message
news:OapX7zsGEHA.576@TK2MSFTNGP11.phx.gbl...
> hi,
>
> Some of my customers with SBS2k have these security audit failures in the
> EventLog. Many have audit success msgs, but some have failures as per
> Log below. The setups are similar, with a mix of Win2k and WinXP with
> most PCs being win2k.
>
> I've applied that patch for winXP in a SBS2k network, but it didn't make
> any diff in these msgs. However, the patch did appear to alleviate the
> symptom of taking 10 secs or longer to save a simple Word doc file.
>
> On this SBS2k concerned, I've disabled Sign comms when possible/always
> both, but secure comms part of Security policies is unchanged, and this
> was
> done in Domain and Domain controller policies.
>
> TIA,
> Eugene Tan
> -
> Log extract from 1st Apr onwards follows:
> -
> Event Type: Success Audit
> Event Source: Security
> Event Category: Policy Change
> Event ID: 617
> Date: 1/4/04
> Time: 7:53:26 AM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER
> Description:
> Kerberos Policy Changed:
> Changed By:
> User Name: SERVER$
> Domain Name: FTK
> Logon ID: (0x0,0x3E7)
> Changes made:
> ('--' means no changes, otherwise each change is shown as:
> <ParameterName>: <new value> (<old value>))
> KerLogoff: 0x764920b20062f88c (0x764920b2005af88c);
> ---
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 677
> Date: 1/4/04
> Time: 5:52:40 PM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER
> Description:
> Service Ticket Request Failed:
> User Name: SERVER$
> User Domain: FTK.LOCAL
> Service Name: krbtgt/FTK.LOCAL
> Ticket Options: 0x2
> Failure Code: 0x20
> Client Address: 127.0.0.1
> ---
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 677
> Date: 1/4/04
> Time: 6:07:15 PM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER
> Description:
> Service Ticket Request Failed:
> User Name: PC4$
> User Domain: FTK.LOCAL
> Service Name: krbtgt/FTK.LOCAL
> Ticket Options: 0x2
> Failure Code: 0x20
> Client Address: 192.168.16.121
> ---
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 677
> Date: 1/4/04
> Time: 6:07:15 PM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER
> Description:
> Service Ticket Request Failed:
> User Name: PC4$
> User Domain: FTK.LOCAL
> Service Name: krbtgt/FTK.LOCAL
> Ticket Options: 0x2
> Failure Code: 0x20
> Client Address: 192.168.16.121
> ---
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 537
> Date: 1/4/04
> Time: 6:17:58 PM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER
> Description:
> Logon Failure:
> Reason: An unexpected error occurred during logon
> User Name:
> Domain:
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name: -
> ---
> Event Type: Success Audit
> Event Source: Security
> Event Category: Policy Change
> Event ID: 617
> Date: 2/4/04
> Time: 8:12:00 AM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER
> Description:
> Kerberos Policy Changed:
> Changed By:
> User Name: SERVER$
> Domain Name: FTK
> Logon ID: (0x0,0x3E7)
> Changes made:
> ('--' means no changes, otherwise each change is shown as:
> <ParameterName>: <new value> (<old value>))
> KerLogoff: 0x764920b20152f88c (0x764920b20062f88c);
> ---
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 677
> Date: 2/4/04
> Time: 8:16:09 AM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER
> Description:
> Service Ticket Request Failed:
> User Name:
> User Domain:
> Service Name: krbtgt/FTK.LOCAL
> Ticket Options: 0x2
> Failure Code: 0x20
> Client Address: 192.168.16.20
> ----
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 675
> Date: 2/4/04
> Time: 9:48:05 AM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER
> Description:
> Pre-authentication failed:
> User Name: joyce
> User ID: FTK\joyce
> Service Name: krbtgt/FTK
> Pre-Authentication Type: 0x2
> Failure Code: 0x18
> Client Address: 192.168.16.10
> ---
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 675
> Date: 2/4/04
> Time: 1:56:03 PM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER
> Description:
> Pre-authentication failed:
> User Name: Tsc
> User ID: FTK\Tsc
> Service Name: krbtgt/FTK
> Pre-Authentication Type: 0x2
> Failure Code: 0x18
> Client Address: 192.168.16.229
> ---
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 675
> Date: 2/4/04
> Time: 1:56:10 PM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER
> Description:
> Pre-authentication failed:
> User Name: Tsc
> User ID: FTK\Tsc
> Service Name: krbtgt/FTK
> Pre-Authentication Type: 0x2
> Failure Code: 0x18
> Client Address: 192.168.16.229
>
>
>
- Next message: dashe: "Cant Dial Out Even tohugh Within Dial Out Hours"
- Previous message: Ralf: "Re: Reinstall "Fax to Documentlibrary" Function ?"
- In reply to: Eugene Tan: "Security audit failures - any idea why?"
- Next in thread: Eugene Tan: "Re: Security audit failures - any idea why?"
- Reply: Eugene Tan: "Re: Security audit failures - any idea why?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
Loading
