kerberos error event ID 675 with 0x19 error code


The error event 675 with 0X19 error code indicates:

0x19 - KDC_ERR_PREAUTH_REQUIRED: Additional pre-authentication required

In domain environment, Kerberos is the default authentication protocol. In
Kerberos Authentication protocol implemented in Windows, Pre-authentication
is required by default. However, sometimes, clients may not include the
pre-authentication data in first communication with KDC (the AS_REQ). As a
result, KDC returns an error to inform client that Pre-Authentication
is required, and then an event ID 675 with the error 0x19 is recorded on
KDC.


Meanwhile, please set the flag "Do not require pre-authentication" for the
problematic account EXC$, to configure the system to not require
pre-authentication. For user accounts, we can enable this flag in User
Properties. For computer account, we should modify the attribute
UserAccountControl via the following steps:

1. On the domain controller, click Start, click Run, type in "adsiedit.msc"
(without the quotation marks) and press ENTER to launch ADSI Edit tool.
This tool is included with the Windows 2003 Support Tools. To install the
Support Tools, run Suptools.msi from the Support\Tools folder on the
Windows 2003 Server CD-ROM.
2. Locate the computer accounts DOMAIN\EXC$ under the Domain partition.
3. Right-click on "DOMAIN\EXC$", click Properties.
4. Then locate the attribute "UserAccountControl" in the Attributes list.
Click Edit.
5. Modify the value to original value plus 4194304. For example, if the
original value is 512, the new value should be 512+4194304=4194816
6. Click OK, click Apply, and click OK.
7. Quit ADSI Edit. Then you can check if the event 675 stops for these
accounts.

For more information about UserAccountControl attribute, you can refer to
the following article:

How to use the UserAccountControl flags to manipulate user account
properties


http://support.microsoft.com/kb/305144

Security Log Events That Might Contain Kerberos Error Codes

Event ID Account Logon Event Type Event Information Potentially Associated with Kerberos Authentication

672

Success audit (Windows 2000 and Windows Server 2003)

Failure audit (Windows Server 2003)

Authentication Ticket Request:

User Name

Supplied Realm Name

User ID

Service Name

Service ID

Ticket Options

Result Code: Kerberos error code

Ticket Encryption Type

Pre-Authentication Type

Client Address

Certificate Issuer Name

Certificate Serial Number

Certificate Thumbprint

 

673

Success audit (Windows 2000 and Windows Server 2003)

Failure audit (Windows Server 2003)

Service Ticket Request:

User Name

User Domain

Service Name

Service ID

Ticket Options

Ticket Encryption Type

Client Address

Failure Code: Kerberos Error Code

Logon GUID

Transited Services

 

675

Failure audit

Pre-authentication Failed:

User Name

User ID

Service Name

Pre-authentication Type

Failure Code: Kerberos error code

Client Address

 

676

Failure audit (Obsolete in Windows Server 2003; both success and failure audits use event ID 672.)

Authentication Ticket Request Failed:

User Name

Supplied Realm Name

Service Name

Ticket Options

Failure Code: Kerberos error code

Client Address

 

677

Failure audit (Obsolete in Windows Server 2003; both success and failure audits use event ID 673.)

Service Ticket Request Failed:

User Name

User Domain

Service Name

Ticket Options

Failure Code: Kerberos error code

Client Address

 

Kerberos V5 Authentication Protocol Error Messages Generated by Windows Server 2003

Kerberos Error Number Kerberos Error Code Description

0x3

KDC_ERR_BAD_PVNO

Requested protocol version number not supported.

0x6

KDC_ERR_C_PRINCIPAL_UNKNOWN

Client not found in Kerberos database.

0x7

KDC_ERR_S_PRINCIPAL_UNKNOWN

Server not found in Kerberos database.

0x8

KDC_ERR_PRINCIPAL_NOT_UNIQUE

Multiple principal entries in database.

0xA

KDC_ERR_CANNOT_POSTDATE

Ticket not eligible for postdating.

0xB

KDC_ERR_NEVER_VALID

Requested start time is later than end time.

0xC

KDC_ERR_POLICY

KDC policy rejects request.

0xD

KDC_ERR_BADOPTION

KDC cannot accommodate requested option.

0xE

KDC_ERR_ETYPE_NOSUPP

KDC has no support for encryption type.

0xF

KDC_ERR_SUMTYPE_NOSUPP

KDC has no support for checksum type.

0x10

KDC_ERR_PADATA_TYPE_NOSUPP

KDC has no support for pre-authentication data type.

0x12

KDC_ERR_CLIENT_REVOKED

Client€™s credentials have been revoked.

0x17

KDC_ERR_KEY_EXPIRED

Password has expired - change password to reset.

0x18

KDC_ERR_PREAUTH_FAILED

Pre-authentication information was invalid.

0x19

KDC_ERR_PREAUTH_REQUIRED

Additional pre-authentication required.

0x1B

KDC_ERR_MUST_USE_USER2USER

Server principal valid for user-to-user only.

0x1C

KDC_ERR_PATH_NOT_ACCPETED

KDC Policy rejects transited path.

0x1D

KDC_ERR_SVC_UNAVAILABLE

A service is not available.

0x1F

KRB_AP_ERR_BAD_INTEGRITY

Integrity check on decrypted field failed.

0x20

KRB_AP_ERR_TKT_EXPIRED

Ticket expired.

0x21

KRB_AP_ERR_TKT_NYV

Ticket not yet valid.

0x22

KRB_AP_ERR_REPEAT

Request is a replay.

0x23

KRB_AP_ERR_NOT_US

The ticket isn€™t for us.

0x24

KRB_AP_ERR_BADMATCH

Ticket and authenticator do not match.

0x25

KRB_AP_ERR_SKEW

Clock skew too great.

0x28

KRB_AP_ERR_MSG_TYPE

Invalid message type.

0x29

KRB_AP_ERR_MODIFIED

Message stream modified.

0x34

KRB_ERR_RESPONSE_TOO_BIG

Response too big for UDP, retry with TCP.

0x3C

KRB_ERR_GENERIC

Generic error (description in e-text).

0x44

KDC_ERR_WRONG_REALM

User-to-user TGT issued different KDC.