Recently we had an encounter with a weird issue. Our monitoring software started reporting thousands of “hacker” alerts on a mixed Windows 2003 / 2008 domain. These audit failures were coming from the inside stations and servers. After we examined the spyware/virus theory we started looking into Windows compatibility issues.

Here’s a sample of an Event ID 675.


Pre-authentication failed:
User Name:	Username
User ID:		DOMAIN\Username
Service Name:	krbtgt/DOMAIN
Pre-Authentication Type:	0x2
Failure Code:	0x18
Client Address:	10.0.0.100

We began with this Microsoft technet article, that started us up with a brief explanation of what we’re dealing with. Unfortunately, this article is somewhat dated, so naturally it doesn’t talk about the differences in Kerberos implementation in Windows 2003 and Windows 2008 server OS.

After hours of research it turned out that Windows 7 / Vista is using a higher grade of encryption for pre-authentication. Windows 7 / Vista is using AES256 by default. There is a way to change the default encryption level to RC4, which is used by 2003 / XP windows by default.

Note If the Parameters key is not listed under Kerberos, you must create the key.


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Entry: DefaultEncryptionType
Type: REG_DWORD
Default Value: 23 (decimal) or 0x17 (hexadecimal)

23 (decimal) is KERB_ETYPE_RC4_HMAC_NT
24 (decimal) is KERB_ETYPE_AES256_CTS_HMAC_SHA1_96

On DC’s side the registry entries that control KDC:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\KdcUseRequestedEtypesForTickets (DWORD)

If the value of this key is non-zero, the server will try and use the highest encryption level supported by the client PC. Windows 2003 servers will require the hotfix 833708.

More details on KDC configuration keys on Windows 2003
Overview of Kerberos enhacements in Windows Vista and Windows 2008 Server

9 Responses to Thousands of Event IDs 675 and 680 in Windows Security log

  1. Christel says:

    On the first sentence it looks like it were valid but if you look closely there is no sense in this!

  2. Raynoch says:

    Son of a gun, this is so hleupfl!

  3. Thanks a lot for the tips, and your webpage genuinely looks very good. Exactly what wp theme are you employing?

  4. How strange, this topic got me to deeply hunger for a hamburger.

  5. I conceive this web site has very superb composed content material articles . cheap vps | best vps host |

  6. Homepage says:

    … [Trackback]…

    [...] Read More: techteammanhattan.com/blog/event-id-675-680-windows-secutiy/ [...]…

  7. site says:

    Jesus Christ theres a lot of spammy feedback on this webpage. Have you ever believed about trying to remove them or installing a wordpress plugin?

Leave a Reply