Windows Security Log Event ID 675
Operating Systems Windows Server 2000
Windows Server 2003
CategoryAccount Logon
Type Failure
Corresponding events
in Windows 2008
and Vista
4771  
Discussions on Event ID 675
Tracking Authentication failire 675 triggered due to Keyboard interactive Login
Pre-Authentication failed (675)
Pre-authentication errors filling DC security log
Failure Code 0x18 for Computer accounts
difference between 675 and 529 event ids

675: Pre-authentication failed

On this page

When a user attempts to log on at a workstation and uses a valid domain account name but enters a bad password, the DC records event ID 675 (pre-authentication failed) with Failure Code 24. By reviewing each of your DC Security logs for this event and failure code, you can track every domain logon attempt that failed as a result of a bad password. In addition to providing the username and domain name, the event provides the IP address of the system from which the logon attempt originated.

Win2K also logs event ID 675 when a user attempts to use a different username (i.e., a username other than the one he or she used for the current workstation logon) to connect to a server. For example, a user might try to use the Connect using a different user name feature to use someone else's account to map a drive to a server.

This event can be logged for a few other reasons which are specified in the failure code. All Kerberos event failure codes correspond to the error codes defined by the Kerberos standard (RFC 1510). Click here for an explanation of failure codes.

Recommended response for failed instances of this event:

Check the User ID field. Most events generated by computer accounts are safe to ignore. Determine the reason for the authentication failure by checking Failure Code. TGT failures are usually due to a bad password or time synchronization between workstation and domain controller. If Failure Code indicates a bad password, how many failures exist for the same account? Look at the client IP address. Is an innocent user error or malicious attack indicated. If practical contact user regarding their recent logon attempts. 

 

Kerberos Failure Codes
Failure code
Kerberos RFC description
Notes on common failure codes
Dec
Hex
1
0x1
Client's entry in database has expired
 
2
0x2
Server's entry in database has expired
 
3
0x3
Requested protocol version # not supported
 
4
0x4
Client's key encrypted in old master key
 
5
0x5
Server's key encrypted in old master key
 
6
0x6
Client not found in Kerberos database
Bad user name, or new computer/user account has not replicated to DC yet
7
0x7
Server not found in Kerberos database
 New computer account has not replicated yet or computer is pre-w2k
8
0x8
Multiple principal entries in database
 
9
0x9
The client or server has a null key
 administrator should reset the password on the account
0xA
Ticket not eligible for postdating
 
0xB
Requested start time is later than end time
 
0xC
KDC policy rejects request
Workstation/logon time restriction
0xD
KDC cannot accommodate requested option
 
0xE
KDC has no support for encryption type
 
0xF
KDC has no support for checksum type
 
0x10
KDC has no support for padata type
 
0x11
KDC has no support for transited type
 
0x12
Clients credentials have been revoked
Account disabled, expired, or locked out.
0x13
Credentials for server have been revoked
 
0x14
TGT has been revoked
 
0x15
Client not yet valid - try again later
 
0x16
Server not yet valid - try again later
 
0x17
Password has expired
The user’s password has expired.
0x18
Pre-authentication information was invalid
Usually means bad password
0x19
Additional pre-authentication required*
 
0x1F
Integrity check on decrypted field failed
 
0x20
Ticket expired
Frequently logged by computer accounts
0x21
Ticket not yet valid
 
0x21
Ticket not yet valid
 
0x22
Request is a replay
 
0x23
The ticket isn't for us
 
0x24
Ticket and authenticator don't match
 
0x25
Clock skew too great
Workstation’s clock too far out of sync with the DC’s
0x26
Incorrect net address
 IP address change?
0x27
Protocol version mismatch
 
0x28
Invalid msg type
 
0x29
Message stream modified
 
0x2A
Message out of order
 
0x2C
Specified version of key is not available
 
0x2D
Service key not available
 
0x2E
Mutual authentication failed
 may be a memory allocation failure
0x2F
Incorrect message direction
 
0x30
Alternative authentication method required*
 
0x31
Incorrect sequence number in message
 
0x32
Inappropriate type of checksum in message
 
0x3C
Generic error (description in e-text)
 
0x3D
Field is too long for this implementation
 

  •  User Name: %1
  •  User ID:  %2
  •  Service Name: %3
  •  Pre-Authentication Type: %4
  •  Failure Code: %5 (see table of failure codes)
  •  Client Address: %6

Top 10 Windows Security Events to Monitor

Pre-authentication failed:
User Name: Fred
User ID: MKTG\Fred
Service Name: krbtgt/MKTG
Pre-Authentication Type: 0x2
Failure Code: 24
Client Address: 10.42.42.10

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this



Training for the Windows Security Log