Event ID 675 with failure code 0x18 is in my domain controller's (DC's) Security log. I think the event was caused by an automated process. How can I determine which of the processes running on my Windows 2000 server tried to authenticate to the DC?
First, let's review to bring everyone up to speed. Event ID 675 specifies a Kerberos authentication failure, and failure code 0x18 in the event's description indicates that the password was incorrect. Another field in the description, Client Address, provides the IP address of the client computer that originated the authentication attempt. Your question indicates that this IP address belongs to a Win2K server.
This authentication error could have several possible causes. A user might have logged on to the server interactively or via RDP, then attempted to access a Windows resource on another server by using explicit credentials. One of my customers recently described such a scenario that occurred in his organization: A user logged on to a server via RDP and accessed a shared folder on the server by using the share name instead of the local path name. The user didn't log off that server but subsequently changed his domain password from a different computer. Because the RDP session was still active (albeit disconnected) and the user had left a Windows Explorer window open with the shared folder selected, Windows periodically tried to reconnect to the share by using the user's old password, thus causing event ID 675 errors. Another possibility is that the authentication attempts are originating from an application that's running on the server and trying to access another server by using explicit credentials.
However, it's more likely that the process is either a scheduled task or service configured to run under the account identified by the User ID field in the description of event ID 675. If this is the case, it's easy to verify. Look for event ID 529 (Logon Failure) on the Win2K member server and check the Logon Type field in the description. Logon Type 4 indicates that a scheduled task is causing the failure, and Logon Type 5 indicates that the culprit is a service trying to start. In either case, you'll be able to find error events in the System log on the Win2K system that identify the particular service or scheduled task.
End of Article
)
Register
bjdoersch September 04, 2008 (Article Rating: