Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 676 Source: Security

Source
Description
Authentication Ticket Request Failed:
User Name: <user or computer name>
Supplied Realm Name: <domain name>
Service Name: krbtgt/<domain name>
Ticket Options: <options>
Failure Code: <hex failure code>
Client Address: <ip address>
Comments
 
Sometimes a logon fails not because of a bad password but because the user mistyped the username or tried to guess someone else's username.
If a logon fails because of an invalid username, Windows 2000 logs event ID 676 (authentication ticket request failed) with Failure Code 6. This event is another important logon auditing advance because in NT you can't distinguish logons that failed because of a bad password from logons that failed because of a bad username. Windows 2000 uses event ID 676 with other failure codes to identify several other types of failed-logon situations.

Failure Code 12 indicates the logon failed because of time-of-day or workstation restrictions. Failure Code 18 signifies that the account was locked out because of failed logons, disabled by the administrator, or expired.
Failure Code 23 means the user's password had expired.
Failure Code 37 occurs when a workstation's clock was too far out of synchronization with the DC's clock.

See Audit Account Logon Events for more details.
A user on my company's Win 2K domain received this event along with events 675 and 681 from the same source in the DC event logs. They were logged on to two PCs with the same account, had changed their expired password on one of the PCs and not logged off the other to synchronise the profiles.
In one case, with Failure Code 6 on Windows 2000, this was due to a mistyped username.

In another case, with Failure Code 6 on Windows 2000, the password for the IWAM_MachineName account was mismatched between the Windows Active Directory and the IIS metabase.

See "EventID 101 from source IISADMIN" for more information.
See the link to "Troubleshooting Kerberos Errors" for information about Kerberos errors.
See ME824209 on how to use the EventCombMT utility to search the event logs of multiple computers for account lockouts.

- Failure Code: 6 - See ME326985.


We had this issue on a Win2K domain. Changing the Domain Sec. Policy settting for Min. Password Age to "0" solved the issue. See ME273004 for more info.
Failure Codes:
6  Client not found in the Kerberos database.
7  Server not found in the Kerberos database. This generally indicates a service principal name (SPN) has not been registered for the service.
23  Password has expired.
32  Ticket has expired.
33  Ticket not yet valid.
34  Request is a replay. Someone is trying to play back a Kerberos client''s response; you are possibly being attacked.
37  Clock skew too great. Kerberos is time-critical; make sure all clocks are synchronized
Failure Code 18 signifies that the account was locked out because of failed logons, disabled by the administrator, or expired.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...