RE: [ActiveDir] 675 Pre-Authentication failure errors

[Eric Fleischman]

I have been involved in this very issue behind the scenes here at MS. It is a known issue, with the root of the issue identified. We have a fix we are currently testing, and anticipate success in the test over the next few days. We are comfortable with it internally, waiting only on a customer or two that is confirming it in their environment.   Ping me offline to remind me, but I can send you the fix when it is available (hopefully in the next week or so, but I can keep you up to date as we put it together). Also when you ping me offline, please send me the case number.   ~Eric       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, January 14, 2005 2:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 675 Pre-Authentication failure errors   We are getting an inordinate number of 675's in the security logs on our Domain Controllers numbering around a million a day all told, primarily from Exchange servers' machine accounts. After the usual testing of the errors didn't turn up anything with the machine accounts, we opened a PSS case last year and were told it was a known issue generally affecting Exchange servers and XP and the only solution was to disjoin the system from the domain and rejoin it. We found that solution somewhat unpalatable because of the client impact involved with the outages to the mailbox servers but we did test the solution on one of our SMTP gateways. There is no ill effect observed other than the spam in the event logs.   Yesterday we had a call with the involved Engineer to see if there were any other possible solutions or more details had emerged and got a bit more info. There are some other large customers also affected, including one Fortune 5 firm mentioned by name (who I believe one of the regulars here _used_ to work for if I am not mistaken) . The problem lies with the machine account, seems to have been introduced by a hotfix that is yet unidentified and there is a private fix in the works that the engineer has been unable to get many details about. There was also a possible connection to the audit subsystem mentioned. He stated that others have used the join/disjoin solution over the last year and it has resolved the problem.   Imagine our dismay when we made the decision to accept the pain of the solution and while reviewing the affected systems in the DC logs to schedule the outages, found that the problem has reoccurred on the test system we had dropped and rejoined to the domain late last year. We notified the engineer of that development last night and he commited to applying some more internal pressure since the solution wasn't a long term fix afterall.   We were hoping that others may be able to shed some light to another possible solution if they are affected, especially hoping ~Eric or the aforementioned Fortune 5 ex-employee/utility developer extraordinaire might have some insight. :-)   Event details look like this:   675,AUDIT FAILURE,Security,Wed Nov 03 12:37:47 2004,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name: EXCHANGESERVER$     User ID:  foo.bar.com/OU/SubOU/exchangeserver}     Service Name: krbtgt/FOO.BAR.COM     Pre-Authentication Type: 0x2     Failure Code: 0x18     Client Address: xxx.xx.xx.xx   Thanks   Bob Free Senior Network Specialist ISTS/ITUSS/DC/System Server Support PG&E