|By Adrian Grigorof, based on findings of Peter J. Persing and others|
The Security Event ID 677 (Failure Audit) is generated by the Kerberos Service Ticket Service. Kerberos is used by Windows 2000 Active Directory for authentication and is supposed to replace the old Windows NT security architecture. Typically there are 2 types of 677 events: with Failure code 7 and with Failure code 32 (see the table below for a more detailed list of potential failure codes). Let's analyze the two most common codes, 7 and 32!
Failure code 7
Any Kerberos-compliant software will try first to use Kerberos in order to obtain access to various servers or applications and usually if such access fails they will try an NT-compliant access (using NT authentication). So typically, a Kerberos-compliant application willing to access let's say SERVER1 will interrogate the Kerberos Distribution Center server for the Service Principal Name (SPN) of SERVER1. Kerberos-compliant application will register their SPN with a KDC but applications like MS SQL 7.0 won't. As a consequence, the KDC is not able to resolve the SPN for the MS SQL 7.0 server and a 677 event with Failure Code 7 is generated.
Service Ticket Request Failed: User Name: sql_service User Domain: CORPORATE.NET Service Name: MSSQLSvc/SERVER1.CORPORATE.NET:1433 Ticket Options: 0x40810010 Failure Code: 7 Client Address: 127.0.0.1
This event may be generated by various services that are trying to authenticate through a Kerberos Service Ticket. Between the services reporting such errors are: IIS, SQL, DNS, Exchange 5.5, etc... When instead of a user name, a COMPUTERNAME$ is listed, that means that it is the System account that failed to obtain a Kerberos service ticket. Microsoft Knowledgebase has an article documenting the occurrence of event 677 when ADC (Active Directory Connector) is trying to connect to an Exchange 5.5 server. See Q281431 - XADM: Logon Failure Event ID 677 with Exchange Server 5.5 and Active Directory Connector
A combined environment, Windows 2000, Windows NT / 98 with Active Directory running on mixed mode may cause the occurrence of such events as NT/Win98 machines are trying to connect to a Win2000 machine and fail because NT and Windows 9x are not Kerberos-aware.
Another source of 677 messages are improper DNS configurations. Typically, they would occur when the NetBIOS name of the server is different from the DNS host name. For example, we see these events on domain controllers with the source machine of the event being 127.0.0.1, the LOCALHOST which probably is not recognized as a valid SPN. We suspect that this might be the case when these event occur in a "native" Windows 2000 Active Directory environment (supposedly 100% Kerberos compatible).
By disabling NetBIOS over TCP/IP on the Windows 2000 Domain Controller performing the role of the PDC, some of these events may be eliminated and this action should not affect Windows 2000 AD environments running in "native" mode.
Failure code 32
The problem in this case is in the Kerberos ticket expiration. It appears that Windows 2000 just keeps renewing tickets until it fails because of expiration and then gets a new one. If this is correct, then the 677 failure code 32 errors are "normal" events that one cannot prevent without disabling the auditing for Failure Audits.
* * *
The failure codes reported by these events come directly from the Kerberos RFC 1510. These codes may help with the identification of what caused the error.
Additional information, links, postings:
RFC 1510 - The Kerberos Network Authentication Service (V5)
MSDN - Kerberos in Win2K
Technet - Kerberos Explained
"The following event ID can occur under two situations if your Windows 2000 Dynamic Domain Name
Server (DDNS) server is configured to accept only secure updates and a non-secure update is received:
* * *
Disclaimer: The information on this article simply reflects my interpretation of the 677 events and it may not be entirely accurate. It is not endorsed by Microsoft or any Microsoft affiliates.
Event ID 677