lamp90
Sun Sep 16 02:08:00 PDT 2007
In my experience, certain NORMAL operations can cause authentication errors.
For instance, a common technique for programs to find out if a username has a
password is to try logging in WITHOUT one. That could cause a message like
that.
In such cases, I would expect to find another message shortly thereafter
with a successful authentication, when the user is prompted for the password
and one is entered successfully.
That, assuming you are ALSO tracking successful authentications so you can
see the successful login event as well.
"Jon Holvoet" wrote:
> Here a general explication of your error:
>
>
http://www.ultimatewindowssecurity.com/Details.aspx?ID=117
>
> Specifically for the 0x18: Pre-authentication information was invalid ->
> Usually means bad password
> Perhaps a fixed config in some sort of utility on these machines?
>
> You have the time-stamps, and the ip-adres. Try to find what applications /
> scripts run at that time. Maybe use Wireshark to see the traffic leaving for
> clues, ...
>
> In my experience this is generally a thirth party application or script with
> fixed credentials that performs scheduled tasks, and with an old password.
>
> --
>
> Jon Holvoet
> MCSA / MCSE Security
> Comptia Security+
> CISSP
>
>
> "slawrie" <slawrie@discussions.microsoft.com> wrote in message
> news:F856643E-BFA3-41C8-9EFE-1755F815B902@microsoft.com...
> > Can anyone tell me how to begin troubleshooting this issue? The IP address
> > in
> > question is a DC running DHCP and DNS. I am getting continual
> > Pre-authentication failures although the network seems to be running fine.
> > This account is not the only one giving me the failures.
> >
> > Pre-authentication failed:
> > User Name: Administrator
> > User ID: Domain\Administrator
> > Service Name: krbtgt/Domain.LOCAL
> > Pre-Authentication Type: 0x2
> > Failure Code: 0x18
> > Client Address: 172.16.60.9
> >
> > Thanks,
> >
> > Steve
>
>
>