locked
EventID 675 Failure Code 0x19 (Windows Server 2003 as DC, Windows Server 2008 as Member Server) RRS feed

  • Question

  • Hello,

    We are trying to narrow down as to what is causing a lot of Kerberos Pre-Authentication Failures and logging events to Domain Controller. Every 675 event is followed by 672 for successful logon. We are trying to investigate as to why event Id 675 is logged with 0x19. What does 0x19 failure code mean (documentation just says additional authentication required). If this is normal behavior is there a Microsoft Document that explains this behavior. In the following events, DC is a windows 2003 server and client is a windows 2008 member server

    The events are as follows

    EventID 675

     

    Event Type: Failure Audit

    Event Source: Security

    Event Category: Account Logon 

    Event ID: 675

    Date: 5/12/2010

    Time: 11:20:48 AM

    User: NT AUTHORITY\SYSTEM

    Computer: DC

    Description:

    Pre-authentication failed:

      User Name: UserAccount

      User ID: Domain\UserAccount

      Service Name: krbtgt/Domain

      Pre-Authentication Type: 0x0

      Failure Code: 0x19

      Client Address: 10.x.x.x

     

     

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    EventID 672

    Event Type: Success Audit
    Event Source: Security
    Event Category: Account Logon 
    Event ID: 672
    Date: 5/12/2010
    Time: 11:20:48 AM
    User: NT AUTHORITY\SYSTEM
    Computer: DC
    Description:
    Authentication Ticket Request:
      User Name: UserAccount
      Supplied Realm Name: Domain
      User ID: Domain\UserAccount
      Service Name: krbtgt
      Service ID: Domain\krbtgt
      Ticket Options: 0x40810010
      Result Code: -
      Ticket Encryption Type: 0x17
      Pre-Authentication Type: 2
      Client Address: 10.x.x.x
      Certificate Issuer Name:
      Certificate Serial Number:
      Certificate Thumbprint:


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

     

    Wednesday, May 12, 2010 4:45 PM

Answers

  • Hi,

     

    Windows Vista and later Windows Operating System supports the use of AES 128 and AES 256 encryption with the Kerberos authentication protocol. However, AES encryption is not supported in Windows Server 2003.

     

    When Windows Vista (or later version) client sends Kerberos authentication request to DC, it uses AES to protect the authentication message. However, as Windows Server 2003 DC does not support AES, it logs a 675 event and replies back with the encryption types that it supports. The Vista client then uses highest supported encryption type that the Domain Controller supports (RC4-HMAC) and successfully be able to supply Pre-Authentication. 

     

    To get rid of the 675 error, you can force the Windows Vista (or later version) computers to use the previous authentication method. To do so, please create the following registry value on Windows Vista (or later version) computers:

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

    Name: DefaultEncryptionType

    Type: REG_DWORD

    Value: 23 (dec) or 0x17 (hex)

     

    And then, please reboot the computers.

     

    It should resolve the issue.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Joson Zhou Thursday, May 27, 2010 8:45 AM
    Tuesday, May 18, 2010 8:55 AM

All replies

  • Hi,

     

    Windows Vista and later Windows Operating System supports the use of AES 128 and AES 256 encryption with the Kerberos authentication protocol. However, AES encryption is not supported in Windows Server 2003.

     

    When Windows Vista (or later version) client sends Kerberos authentication request to DC, it uses AES to protect the authentication message. However, as Windows Server 2003 DC does not support AES, it logs a 675 event and replies back with the encryption types that it supports. The Vista client then uses highest supported encryption type that the Domain Controller supports (RC4-HMAC) and successfully be able to supply Pre-Authentication. 

     

    To get rid of the 675 error, you can force the Windows Vista (or later version) computers to use the previous authentication method. To do so, please create the following registry value on Windows Vista (or later version) computers:

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

    Name: DefaultEncryptionType

    Type: REG_DWORD

    Value: 23 (dec) or 0x17 (hex)

     

    And then, please reboot the computers.

     

    It should resolve the issue.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Joson Zhou Thursday, May 27, 2010 8:45 AM
    Tuesday, May 18, 2010 8:55 AM
  • Question: Is this setting ok to leave once the 2003 servers are gone or should the key be deleted once there's an all-AES environment? Trying to be certain, thanks.
    Friday, September 7, 2012 11:03 PM
  • I just ran into this issue with a 2012 domain member and 2003 domain controllers.  Changing the registry stopped my account from being locked out.

    You can also add AES support to 2003.  I think this would allow the 2003 DC to handle the original AES request.
    http://support.microsoft.com/kb/948963

    • Proposed as answer by yaplej Monday, February 10, 2014 3:37 PM
    Wednesday, December 11, 2013 4:18 PM
  • Hello,

    I just installed the hot fix, reboot was required so it is scheduled for tomorrow at 4:00AM

    I will check the logs after the reboot to see if the hot fix resolves the issue and advise.

    thanks

    Jorge


    Jorge Rojas

    Tuesday, January 14, 2014 7:37 PM
  • Hi Jorge,

    How did it go with you? I am also having an issue like this. my client in question is a linux based ReadyNAS.

    Regards,

    Raz

    Saturday, February 1, 2014 3:05 PM