The error event 675 with 0X19 error code indicates:
0x19 - KDC_ERR_PREAUTH_REQUIRED: Additional pre-authentication required
In domain environment, Kerberos is the default authentication protocol. In
Kerberos Authentication protocol implemented in Windows, Pre-authentication
is required by default. However, sometimes, clients may not include the
pre-authentication data in first communication with KDC (the AS_REQ). As a
result, KDC returns an error to inform client that Pre-Authentication
is required, and then an event ID 675 with the error 0x19 is recorded on
KDC.
Meanwhile, please set the flag "Do not require pre-authentication" for the
problematic account EXC$, to configure the system to not require
pre-authentication. For user accounts, we can enable this flag in User
Properties. For computer account, we should modify the attribute
UserAccountControl via the following steps:
1. On the domain controller, click Start, click Run, type in "adsiedit.msc"
(without the quotation marks) and press ENTER to launch ADSI Edit tool.
This tool is included with the Windows 2003 Support Tools. To install the
Support Tools, run Suptools.msi from the Support\Tools folder on the
Windows 2003 Server CD-ROM.
2. Locate the computer accounts DOMAIN\EXC$ under the Domain partition.
3. Right-click on "DOMAIN\EXC$", click Properties.
4. Then locate the attribute "UserAccountControl" in the Attributes list.
Click Edit.
5. Modify the value to original value plus 4194304. For example, if the
original value is 512, the new value should be 512+4194304=4194816
6. Click OK, click Apply, and click OK.
7. Quit ADSI Edit. Then you can check if the event 675 stops for these
accounts.
For more information about UserAccountControl attribute, you can refer to
the following article:
How to use the UserAccountControl flags to manipulate user account
properties
http://support.microsoft.com/kb/305144
Security Log Events That Might Contain Kerberos Error Codes
Event ID | Account Logon Event Type | Event Information Potentially Associated with Kerberos Authentication | ||||||||||||||||||||||||||||||
672 |
|
Authentication Ticket Request:
|
||||||||||||||||||||||||||||||
673 |
|
Service Ticket Request:
|
||||||||||||||||||||||||||||||
675 |
|
Pre-authentication Failed:
|
||||||||||||||||||||||||||||||
676 |
|
Authentication Ticket Request Failed:
|
||||||||||||||||||||||||||||||
677 |
|
Service Ticket Request Failed:
|
Kerberos V5 Authentication Protocol Error Messages Generated by Windows Server 2003
Kerberos Error Number | Kerberos Error Code | Description |
0x3 |
KDC_ERR_BAD_PVNO |
Requested protocol version number not supported. |
0x6 |
KDC_ERR_C_PRINCIPAL_UNKNOWN |
Client not found in Kerberos database. |
0x7 |
KDC_ERR_S_PRINCIPAL_UNKNOWN |
Server not found in Kerberos database. |
0x8 |
KDC_ERR_PRINCIPAL_NOT_UNIQUE |
Multiple principal entries in database. |
0xA |
KDC_ERR_CANNOT_POSTDATE |
Ticket not eligible for postdating. |
0xB |
KDC_ERR_NEVER_VALID |
Requested start time is later than end time. |
0xC |
KDC_ERR_POLICY |
KDC policy rejects request. |
0xD |
KDC_ERR_BADOPTION |
KDC cannot accommodate requested option. |
0xE |
KDC_ERR_ETYPE_NOSUPP |
KDC has no support for encryption type. |
0xF |
KDC_ERR_SUMTYPE_NOSUPP |
KDC has no support for checksum type. |
0x10 |
KDC_ERR_PADATA_TYPE_NOSUPP |
KDC has no support for pre-authentication data type. |
0x12 |
KDC_ERR_CLIENT_REVOKED |
Client€™s credentials have been revoked. |
0x17 |
KDC_ERR_KEY_EXPIRED |
Password has expired - change password to reset. |
0x18 |
KDC_ERR_PREAUTH_FAILED |
Pre-authentication information was invalid. |
0x19 |
KDC_ERR_PREAUTH_REQUIRED |
Additional pre-authentication required. |
0x1B |
KDC_ERR_MUST_USE_USER2USER |
Server principal valid for user-to-user only. |
0x1C |
KDC_ERR_PATH_NOT_ACCPETED |
KDC Policy rejects transited path. |
0x1D |
KDC_ERR_SVC_UNAVAILABLE |
A service is not available. |
0x1F |
KRB_AP_ERR_BAD_INTEGRITY |
Integrity check on decrypted field failed. |
0x20 |
KRB_AP_ERR_TKT_EXPIRED |
Ticket expired. |
0x21 |
KRB_AP_ERR_TKT_NYV |
Ticket not yet valid. |
0x22 |
KRB_AP_ERR_REPEAT |
Request is a replay. |
0x23 |
KRB_AP_ERR_NOT_US |
The ticket isn€™t for us. |
0x24 |
KRB_AP_ERR_BADMATCH |
Ticket and authenticator do not match. |
0x25 |
KRB_AP_ERR_SKEW |
Clock skew too great. |
0x28 |
KRB_AP_ERR_MSG_TYPE |
Invalid message type. |
0x29 |
KRB_AP_ERR_MODIFIED |
Message stream modified. |
0x34 |
KRB_ERR_RESPONSE_TOO_BIG |
Response too big for UDP, retry with TCP. |
0x3C |
KRB_ERR_GENERIC |
Generic error (description in e-text). |
0x44 |
KDC_ERR_WRONG_REALM |
User-to-user TGT issued different KDC. |