Guest Jim A. Posted January 14, 2009 Posted January 14, 2009 The security log is filling up on my DC with 675 events (pre-authentication failed). These events are happening over a hundred times a day and I cant figure out what is causing them. What is interesting is that the service name on these events is not the same service name that shows up when I try to log on to my workstation and intentionally put in a bad password. First, here are the events that are getting spammed: Pre-authentication failed: Username: Administrator User ID: API\Administrator Service Name: krbtgt/ADVANCEDPRODUCTSINTL.LOCAL Pre-authenticaion Type: 0x2 Failure Code: 0x18 Client Address: 192.168.1.240 Now when I try to logon to my workstation and put in a bad pw on purpose, here’s the event it generates: Pre-authentication failed: Username: jsparco User ID: API\jsparco Service Name: krbtgt/API Pre-authenticaion Type: 0x2 Failure Code: 0x18 Client Address: 192.168.1.55 Notice the difference in the service name. Can anyone help me out? Quote
Guest Marek Kremiec Posted January 16, 2009 Posted January 16, 2009 Same here Jim, I even had to change action rules for critical event alerts (such as the 675) because I was getting over 40k alert e-mails overnight. krbtgt seems to be trying to authenticate a wrong user name on DC's 50 - 80 times every minute, round the clock. For some bizarre reason user name failing to authenticate on my DC is not associated with an AD account, it is in fact the name of one our servers with a $ suffix (User ID: DOMAIN_NAME\SERVER_NAME$). Any ideas? "Jim A." wrote: <span style="color:blue"> > The security log is filling up on my DC with 675 events (pre-authentication > failed). These events are happening over a hundred times a day and I cant > figure out what is causing them. What is interesting is that the service > name on these events is not the same service name that shows up when I try to > log on to my workstation and intentionally put in a bad password. > > First, here are the events that are getting spammed: > > Pre-authentication failed: > Username: Administrator > User ID: APIAdministrator > Service Name: krbtgt/ADVANCEDPRODUCTSINTL.LOCAL > Pre-authenticaion Type: 0x2 > Failure Code: 0x18 > Client Address: 192.168.1.240 > > > > Now when I try to logon to my workstation and put in a bad pw on purpose, > here’s the event it generates: > > Pre-authentication failed: > Username: jsparco > User ID: APIjsparco > Service Name: krbtgt/API > Pre-authenticaion Type: 0x2 > Failure Code: 0x18 > Client Address: 192.168.1.55 > > > Notice the difference in the service name. Can anyone help me out? > </span> Quote
Guest mhill Posted February 2, 2009 Posted February 2, 2009 I am having the same problem. I thought mine was due to a new DC the I added as backup. I did demote the server and reinstall AD & DNS and I am not getting the constant errors. Now I am receiving them one at a time randomly. I did find soemthing interesting on MS support. It is for a hotfix where the computers do not update to the DNS-style domain name. MS suggests it be tested on one workstation in the environment in case it doesn't work. I will be attempting to install on a spare PC to see if it helps. The hotfix is KB328570 if you would like to read it. "Marek Kremiec" wrote: <span style="color:blue"> > Same here Jim, I even had to change action rules for critical event alerts > (such as the 675) because I was getting over 40k alert e-mails overnight. > krbtgt seems to be trying to authenticate a wrong user name on DC's 50 - 80 > times every minute, round the clock. > > For some bizarre reason user name failing to authenticate on my DC is not > associated with an AD account, it is in fact the name of one our servers with > a $ suffix (User ID: DOMAIN_NAMESERVER_NAME$). > > Any ideas? > > "Jim A." wrote: > <span style="color:green"> > > The security log is filling up on my DC with 675 events (pre-authentication > > failed). These events are happening over a hundred times a day and I cant > > figure out what is causing them. What is interesting is that the service > > name on these events is not the same service name that shows up when I try to > > log on to my workstation and intentionally put in a bad password. > > > > First, here are the events that are getting spammed: > > > > Pre-authentication failed: > > Username: Administrator > > User ID: APIAdministrator > > Service Name: krbtgt/ADVANCEDPRODUCTSINTL.LOCAL > > Pre-authenticaion Type: 0x2 > > Failure Code: 0x18 > > Client Address: 192.168.1.240 > > > > > > > > Now when I try to logon to my workstation and put in a bad pw on purpose, > > here’s the event it generates: > > > > Pre-authentication failed: > > Username: jsparco > > User ID: APIjsparco > > Service Name: krbtgt/API > > Pre-authenticaion Type: 0x2 > > Failure Code: 0x18 > > Client Address: 192.168.1.55 > > > > > > Notice the difference in the service name. Can anyone help me out? > > </span></span> Quote
Guest Arnold Posted March 11, 2009 Posted March 11, 2009 Does anyone has found the solution for this? "mhill" wrote: <span style="color:blue"> > I am having the same problem. I thought mine was due to a new DC the I added > as backup. I did demote the server and reinstall AD & DNS and I am not > getting the constant errors. Now I am receiving them one at a time randomly. > > I did find soemthing interesting on MS support. It is for a hotfix where > the computers do not update to the DNS-style domain name. MS suggests it be > tested on one workstation in the environment in case it doesn't work. I will > be attempting to install on a spare PC to see if it helps. The hotfix is > KB328570 if you would like to read it. > > "Marek Kremiec" wrote: > <span style="color:green"> > > Same here Jim, I even had to change action rules for critical event alerts > > (such as the 675) because I was getting over 40k alert e-mails overnight. > > krbtgt seems to be trying to authenticate a wrong user name on DC's 50 - 80 > > times every minute, round the clock. > > > > For some bizarre reason user name failing to authenticate on my DC is not > > associated with an AD account, it is in fact the name of one our servers with > > a $ suffix (User ID: DOMAIN_NAMESERVER_NAME$). > > > > Any ideas? > > > > "Jim A." wrote: > > <span style="color:darkred"> > > > The security log is filling up on my DC with 675 events (pre-authentication > > > failed). These events are happening over a hundred times a day and I cant > > > figure out what is causing them. What is interesting is that the service > > > name on these events is not the same service name that shows up when I try to > > > log on to my workstation and intentionally put in a bad password. > > > > > > First, here are the events that are getting spammed: > > > > > > Pre-authentication failed: > > > Username: Administrator > > > User ID: APIAdministrator > > > Service Name: krbtgt/ADVANCEDPRODUCTSINTL.LOCAL > > > Pre-authenticaion Type: 0x2 > > > Failure Code: 0x18 > > > Client Address: 192.168.1.240 > > > > > > > > > > > > Now when I try to logon to my workstation and put in a bad pw on purpose, > > > here’s the event it generates: > > > > > > Pre-authentication failed: > > > Username: jsparco > > > User ID: APIjsparco > > > Service Name: krbtgt/API > > > Pre-authenticaion Type: 0x2 > > > Failure Code: 0x18 > > > Client Address: 192.168.1.55 > > > > > > > > > Notice the difference in the service name. Can anyone help me out? > > > </span></span></span> Quote
Guest Tom [Pepper] Willett Posted March 12, 2009 Posted March 12, 2009 I does didn't. "Arnold" <Arnold@discussions.microsoft.com> wrote in message news:54414F71-E03D-443B-89DE-75A333F6CE7F@microsoft.com... : Does anyone has found the solution for this? : : "mhill" wrote: : : > I am having the same problem. I thought mine was due to a new DC the I added : > as backup. I did demote the server and reinstall AD & DNS and I am not : > getting the constant errors. Now I am receiving them one at a time randomly. : > : > I did find soemthing interesting on MS support. It is for a hotfix where : > the computers do not update to the DNS-style domain name. MS suggests it be : > tested on one workstation in the environment in case it doesn't work. I will : > be attempting to install on a spare PC to see if it helps. The hotfix is : > KB328570 if you would like to read it. : > : > "Marek Kremiec" wrote: : > : > > Same here Jim, I even had to change action rules for critical event alerts : > > (such as the 675) because I was getting over 40k alert e-mails overnight. : > > krbtgt seems to be trying to authenticate a wrong user name on DC's 50 - 80 : > > times every minute, round the clock. : > > : > > For some bizarre reason user name failing to authenticate on my DC is not : > > associated with an AD account, it is in fact the name of one our servers with : > > a $ suffix (User ID: DOMAIN_NAME\SERVER_NAME$). : > > : > > Any ideas? : > > : > > "Jim A." wrote: : > > : > > > The security log is filling up on my DC with 675 events (pre-authentication : > > > failed). These events are happening over a hundred times a day and I cant : > > > figure out what is causing them. What is interesting is that the service : > > > name on these events is not the same service name that shows up when I try to : > > > log on to my workstation and intentionally put in a bad password. : > > > : > > > First, here are the events that are getting spammed: : > > > : > > > Pre-authentication failed: : > > > Username: Administrator : > > > User ID: API\Administrator : > > > Service Name: krbtgt/ADVANCEDPRODUCTSINTL.LOCAL : > > > Pre-authenticaion Type: 0x2 : > > > Failure Code: 0x18 : > > > Client Address: 192.168.1.240 : > > > : > > > : > > > : > > > Now when I try to logon to my workstation and put in a bad pw on purpose, : > > > here's the event it generates: : > > > : > > > Pre-authentication failed: : > > > Username: jsparco : > > > User ID: API\jsparco : > > > Service Name: krbtgt/API : > > > Pre-authenticaion Type: 0x2 : > > > Failure Code: 0x18 : > > > Client Address: 192.168.1.55 : > > > : > > > : > > > Notice the difference in the service name. Can anyone help me out? : > > > Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.