for a hotfix applicable to Microsoft Windows 2000 and Microsoft Windows Server 2003. This hotfix is also included in Windows 2003 Service Pack 1.
As per Microsoft: "This message indicates that the domain controller either issued or failed to issue a Kerberos service ticket". See MSW2KDB
for more details on this event.
The most common occurence of this event has the following parameters:
- Ticket options: 0x40830000
- IP address: 127.0.0.1 (the localhost)
- Failure code: 0xD
The Kerberos ticket options refer to various flags that the requestor wants to set for the ticket. See the "Kerberos ticket options" article for the interpretation of various values that this field can take.
Failure code: 0xD (13 in decimal) = KDC cannot accommodate requested option (KDC_ERR_BADOPTION)
Ticket option: 0x40830000, code: 0xD - From a newsgroup post: "This failure seems to indicate that an anonymous connection is being requested and denied. If you find this tightly coupled with a success then it may be that the client process simply first tries for a null session and then negotiates a secured one."
As per Microsoft, the "anonymous bit flag (bit 14) indicates that the principal is a generic domain account, such as anonymous, for the purpose of distributing a session key.
From a newsgroup post: "Technically speaking, the 673 Failure Audits are due to users & computers with expired TGTs they are trying to renew. Please make sure that the time between the client and the server is synchronized. In addition, this issue may also occur if the client computer does not support S4U. Windows 2003 introduces support for constrained delegation which by leveraging the S4U2Proxy extension to Kerberos. The Kerberos client on a Windows 2003 server will regularly (every 15 minutes by default) check the KDC to see if it supports S4U. If the client doesn't support S4U, a failure security log will be recorded."
S4U = Service-for-User extensions
From a newsgroup post: "Windows 2003 introduces support for constrained delegation by leveraging the S4U2Proxy extension to Kerberos. Windows 2003 DCs will also regularly log an equivalent event 673 (every 15 minutes by default) because the Windows 2003 Kerberos client similarly checks for S4U capability. S4U capability requires a Windows 2003 Native domain, as well as for the
relevant machine accounts to be configured for constrained delegation.
As I know, there is a hotfix (824905) for Win2k3. To get the hotfix file, please contact the Microsoft Web Support Service."