Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Type: Failure Audit|
Service Ticket Request:
User Domain: <domain name>
Service Name: <service name>
Service ID: <id>
Ticket Options: <code>
Ticket Encryption Type: <type>
Client Address: <ip address>
Failure Code: <failure code>
Logon GUID: <GUID>
Transited Services: <services>
|English: Request a translation of the event description in plain English.|
|Concepts to understand:|
What is a GUID?
See ME824905 for a hotfix applicable to Microsoft Windows 2000 and Microsoft Windows Server 2003. This hotfix is also included in Windows 2003 Service Pack 1.
As per Microsoft: "This message indicates that the domain controller either issued or failed to issue a Kerberos service ticket". See MSW2KDB and ME274176 for more details on this event.
The most common occurence of this event has the following parameters:
- Ticket options: 0x40830000
- IP address: 127.0.0.1 (the localhost)
- Failure code: 0xD
The Kerberos ticket options refer to various flags that the requestor wants to set for the ticket. See the "Kerberos ticket options" article for the interpretation of various values that this field can take.
Failure code: 0xD (13 in decimal) = KDC cannot accommodate requested option (KDC_ERR_BADOPTION)
Ticket option: 0x40830000, code: 0xD - From a newsgroup post: "This failure seems to indicate that an anonymous connection is being requested and denied. If you find this tightly coupled with a success then it may be that the client process simply first tries for a null session and then negotiates a secured one."
As per Microsoft, the "anonymous bit flag (bit 14) indicates that the principal is a generic domain account, such as anonymous, for the purpose of distributing a session key.
From a newsgroup post: "Technically speaking, the 673 Failure Audits are due to users & computers with expired TGTs they are trying to renew. Please make sure that the time between the client and the server is synchronized. In addition, this issue may also occur if the client computer does not support S4U. Windows 2003 introduces support for constrained delegation which by leveraging the S4U2Proxy extension to Kerberos. The Kerberos client on a Windows 2003 server will regularly (every 15 minutes by default) check the KDC to see if it supports S4U. If the client doesn't support S4U, a failure security log will be recorded."
S4U = Service-for-User extensions
From a newsgroup post: "Windows 2003 introduces support for constrained delegation by leveraging the S4U2Proxy extension to Kerberos. Windows 2003 DCs will also regularly log an equivalent event 673 (every 15 minutes by default) because the Windows 2003 Kerberos client similarly checks for S4U capability. S4U capability requires a Windows 2003 Native domain, as well as for the
relevant machine accounts to be configured for constrained delegation.
As I know, there is a hotfix (824905) for Win2k3. To get the hotfix file, please contact the Microsoft Web Support Service."
|Private comment: Subscribers only. See example of private comment|
|Links: ME217098, ME230669, ME274176, ME824905, Kerberos ticket options, Online Analysis of Security Event Log, Security Settings in Windows Server 2003 and Windows XP, MSW2KDB|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (2) - More links...|
Send comments or solutions
- Notify me when updated