none
Client Address is not proper in Event Log

    Question

  • Hi,

    I had enable the Advance Audit Policy Configuration on my Domain Controller.

    Server OS - Window Server 2008 R2 Standard.

    Client OS - Window XP

    Whenever the Domain User enter wrong password for their account i received the following Failure Audit. In this log, the Client address shown is

    Client Address:        ::ffff:10.1.1.12 ( Please see the Print-screen attached )

    But in Actual, the Client Address is different. Why it does not show the actual Client Address? Please let me know what does Client Address means here.

    As per my understanding, it must be the address of the Client Workstation from where the Domain user had tried to login, but had failed because of, entering wrong password for their username.

    Please explain?


    Thanks & Regards,
    Param
    www.paramgupta.blogspot.com


    • Edited by Param022012 Friday, August 03, 2012 6:55 AM
    Friday, August 03, 2012 6:54 AM

Answers

  • ::ffff means that it is an IPv6 socket that is used for IPv4 communication.It is usually identified as a IPv4 mapped IPv6 address,a particular IPv6 address which aids the transition from IPv4 to IPv6. The structure of the address is ::ffff:w.y.x.z

    See this:http://marcoceresa.com/ipaddress/classes/IPAddress/IPv6/Mapped.html 

    If it is the IP address of DC set IPv6 to dynamic (Automatically) as below.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, August 04, 2012 5:51 PM

All replies

  • Hi Param,

    Yes, Client Address is  IP address where user is present. It shows the IP information of the client. Make sure that client IP address is registered properly in DNS. Whether the client is connecting directly are connecting via RDP to a server.

    10.1.1.12 May be one of your server's IP.

    Hunting down DES in order to securely deploy Kerberos

    http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx


    Regards,
    Rafic

    If you found this post helpful, please give it a "Helpful" vote.
    If it answered your question, remember to mark it as an "Answer".
    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!


    • Edited by iamrafic Friday, August 03, 2012 7:15 AM links
    Friday, August 03, 2012 7:10 AM
  • You can check the dns console there may be case that multiple IP address is assigned to same client Computers.If mutiple stale records are present enable scavenging.Also ensure that correct dns setting is configured on client computer and the same is registered in dns server.

    -->> DNS configuration on clients and member servers:
    -----------------------------------
    1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
    2. Do not set public DNS server in TCP/IP setting of client/member server.

    This event is logged if the ticket request fails.More details on event id 4771 refer below link:
    http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771

    Don't be afraid of DNS Scavenging. Just be patient
    http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Saturday, August 04, 2012 1:17 AM
  • Param,

    Is it that  the IPv4 address, 10.1.1.12 is incorrect. If so then I have to agree with Sandesh and iamrafic. You may have  multiple DNS records for the client.

    Explore their suggestions and post back. 


    SelloD

    Saturday, August 04, 2012 4:24 AM
  • Hi Rafic, Sandesh and Sello,

    Thank you so much for your Kind Reply,

    I would like to add that this ip address -

    Client Address:        ::ffff:10.1.1.12

    is of my Secondary DC, I don't understand why ::fff: is added to this client address.

    And my Dns record is perfect, there is no multiple DNS records for any Client.

    I am not trying to login in to any server via RDP, it just my Laptop which is in domain. I am trying to login with wrong password, so that i can verify that the Log which i am receiving is proper or not.

    Can you suggest where i am done mistake?


    Thanks & Regards,
    Param
    www.paramgupta.blogspot.com

    Saturday, August 04, 2012 1:45 PM
  • ::ffff means that it is an IPv6 socket that is used for IPv4 communication.It is usually identified as a IPv4 mapped IPv6 address,a particular IPv6 address which aids the transition from IPv4 to IPv6. The structure of the address is ::ffff:w.y.x.z

    See this:http://marcoceresa.com/ipaddress/classes/IPAddress/IPv6/Mapped.html 

    If it is the IP address of DC set IPv6 to dynamic (Automatically) as below.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, August 04, 2012 5:51 PM
  • Param,

    Does the DC where the event is being logged host the PDC Emulator FSMO role for your domain?  Whenever authentication fails with a bad password, the authenticating DC (likely 10.1.1.12 in your case) will always forward the auth request to the PDC Emulator since that DC has the most current list of passwords.  See http://msdn.microsoft.com/en-us/library/cc223752%28v=prot.13%29.aspx for details.

    Mark
    Sunday, August 05, 2012 9:38 PM