Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Type: Failure Audit|
Authentication Ticket Request Failed:
User Name: <user or computer name>
Supplied Realm Name: <domain name>
Service Name: krbtgt/<domain name>
Ticket Options: <options>
Failure Code: <hex failure code>
Client Address: <ip address>
|English: Request a translation of the event description in plain English.|
|Concepts to understand:|
What is an authentication protocol?
Sometimes a logon fails not because of a bad password but because the user mistyped the username or tried to guess someone else's username.
If a logon fails because of an invalid username, Windows 2000 logs event ID 676 (authentication ticket request failed) with Failure Code 6. This event is another important logon auditing advance because in NT you can't distinguish logons that failed because of a bad password from logons that failed because of a bad username. Windows 2000 uses event ID 676 with other failure codes to identify several other types of failed-logon situations.
Failure Code 12 indicates the logon failed because of time-of-day or workstation restrictions. Failure Code 18 signifies that the account was locked out because of failed logons, disabled by the administrator, or expired.
Failure Code 23 means the user's password had expired.
Failure Code 37 occurs when a workstation's clock was too far out of synchronization with the DC's clock.
See Audit Account Logon Events for more details.
A user on my company's Win 2K domain received this event along with events 675 and 681 from the same source in the DC event logs. They were logged on to two PCs with the same account, had changed their expired password on one of the PCs and not logged off the other to synchronise the profiles.
In one case, with Failure Code 6 on Windows 2000, this was due to a mistyped username.
In another case, with Failure Code 6 on Windows 2000, the password for the IWAM_MachineName account was mismatched between the Windows Active Directory and the IIS metabase.
See "EventID 101 from source IISADMIN" for more information.
See the link to "Troubleshooting Kerberos Errors" for information about Kerberos errors.
See ME824209 on how to use the EventCombMT utility to search the event logs of multiple computers for account lockouts.
- Failure Code: 6 - See ME326985.
We had this issue on a Win2K domain. Changing the Domain Sec. Policy settting for Min. Password Age to "0" solved the issue. See ME273004 for more info.
Dennis Lundtoft Thomsen
6 Client not found in the Kerberos database.
7 Server not found in the Kerberos database. This generally indicates a service principal name (SPN) has not been registered for the service.
23 Password has expired.
32 Ticket has expired.
33 Ticket not yet valid.
34 Request is a replay. Someone is trying to play back a Kerberos client''s response; you are possibly being attacked.
37 Clock skew too great. Kerberos is time-critical; make sure all clocks are synchronized
Failure Code 18 signifies that the account was locked out because of failed logons, disabled by the administrator, or expired.
|Private comment: Subscribers only. See example of private comment|
|Links: ME273004, ME326985, ME824209, Audit Account Logon Events, Online Analysis of Security Event Log, Troubleshooting Kerberos Errors, EventID 101 from source IISADMIN, EventID 675 from source Security, EventID 681 from source Security|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated