Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 673 Source: Security

Source
Description
Service Ticket Request:
  User Name:
  User Domain:  <domain name>
  Service Name:  <service name>
  Service ID:  <id>
  Ticket Options:  <code>
  Ticket Encryption Type: <type>
  Client Address:  <ip address>
  Failure Code:  <failure code>
  Logon GUID:  <GUID>
  Transited Services: <services>
Comments
 
See ME824905 for a hotfix applicable to Microsoft Windows 2000 and Microsoft Windows Server 2003. This hotfix is also included in Windows 2003 Service Pack 1.

As per Microsoft: "This message indicates that the domain controller either issued or failed to issue a Kerberos service ticket". See MSW2KDB and ME274176 for more details on this event.
The most common occurence of this event has the following parameters:
- Ticket options: 0x40830000
- IP address: 127.0.0.1 (the localhost)
- Failure code: 0xD

The Kerberos ticket options refer to various flags that the requestor wants to set for the ticket. See the "Kerberos ticket options" article for the interpretation of various values that this field can take.

Failure code: 0xD (13 in decimal) = KDC cannot accommodate requested option (KDC_ERR_BADOPTION)

Ticket option: 0x40830000, code: 0xD - From a newsgroup post: "This failure seems to indicate that an anonymous connection is being requested and denied.  If you find this tightly coupled with a success then it may be that the client process simply first tries for a null session and then negotiates a secured one."
As per Microsoft, the "anonymous bit flag (bit 14) indicates that the principal is a generic domain account, such as anonymous, for the purpose of distributing a session key.

From a newsgroup post: "Technically speaking, the 673 Failure Audits are due to users & computers with expired TGTs they are trying to renew. Please make sure that the time between the client and the server is synchronized. In addition, this issue may also occur if the client computer does not support S4U. Windows 2003 introduces support for constrained delegation which by leveraging the S4U2Proxy extension to Kerberos. The Kerberos client on a Windows 2003 server will regularly (every 15 minutes by default) check the KDC to see if it supports S4U. If the client doesn't support S4U, a failure security log will be recorded."
S4U = Service-for-User extensions

From a newsgroup post: "Windows 2003 introduces support for constrained delegation by leveraging the S4U2Proxy extension to Kerberos. Windows 2003 DCs will also regularly log an equivalent event 673 (every 15 minutes by default) because the Windows 2003 Kerberos client similarly checks for S4U capability.  S4U capability requires a Windows 2003 Native domain, as well as for the
relevant machine accounts to be configured for constrained delegation.
As I know, there is a hotfix (824905) for Win2k3. To get the hotfix file, please contact the Microsoft Web Support Service."

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...