Pre-Authentication Failure

I have a new exchange 2007 server on 2008 and I am seeing these errors every
minute on my 2003r2 DC. It says it's not a problem but every minute seems
like a problem.

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 7/6/2008
Time: 10:16:06 PM
User: NT AUTHORITY\SYSTEM
Computer: FILESERVER
Description:
Pre-authentication failed:
User Name: EXC$
User ID: DOMAIN\EXC$
Service Name: krbtgt/DOMAIN.LOCAL
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.1.1.1


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Hello,

Thank you for posting in newsgroup.

According to the post, I know the issue is:

You notice the security log 675 on the 2003 R2 domain controller and this
event points to a Windows Server 2008 operation system with Exchange. If I
misunderstand it, please feel free to let me know.

Analysis:
==========
Based on my experience, the event 675 usually indicates the account is
locked out. May I know if the computer account DOMAIN\EXC$ is locked or
not?

Also I notice this issue might also be caused when the service account is
modified. Please perform the cleanboot on the Windows Server 2008 to narrow
down the issue. To do so, follow the steps below:

1. Type msconfig in the command prompt and press Enter
2. Click Services tab and select Hide All Microsoft Services and Disable
All third party Services.
3. Click Startup tab and Disable All startup items
4. Click OK and choose Restart
5. After reboot, check whether the event 675 still occurs on the domain
controller security log.

The error event 675 with 0X19 error code indicates:

0x19 - KDC_ERR_PREAUTH_REQUIRED: Additional pre-authentication required

In domain environment, Kerberos is the default authentication protocol. In
Kerberos Authentication protocol implemented in Windows, Pre-authentication
is required by default. However, sometimes, clients may not include the
pre-authentication data in first communication with KDC (the AS_REQ). As a
result, KDC returns an error to inform client that Pre-Authentication
is required, and then an event ID 675 with the error 0x19 is recorded on
KDC.


Meanwhile, please set the flag "Do not require pre-authentication" for the
problematic account EXC$, to configure the system to not require
pre-authentication. For user accounts, we can enable this flag in User
Properties. For computer account, we should modify the attribute
UserAccountControl via the following steps:

1. On the domain controller, click Start, click Run, type in "adsiedit.msc"
(without the quotation marks) and press ENTER to launch ADSI Edit tool.
This tool is included with the Windows 2003 Support Tools. To install the
Support Tools, run Suptools.msi from the Support\Tools folder on the
Windows 2003 Server CD-ROM.
2. Locate the computer accounts DOMAIN\EXC$ under the Domain partition.
3. Right-click on "DOMAIN\EXC$", click Properties.
4. Then locate the attribute "UserAccountControl" in the Attributes list.
Click Edit.
5. Modify the value to original value plus 4194304. For example, if the
original value is 512, the new value should be 512+4194304=4194816
6. Click OK, click Apply, and click OK.
7. Quit ADSI Edit. Then you can check if the event 675 stops for these
accounts.

For more information about UserAccountControl attribute, you can refer to
the following article:

How to use the UserAccountControl flags to manipulate user account
properties
http://support.microsoft.com/kb/305144



If the issue still exists, I would like t to collect some information for
the further analysis:

Information Needed:
=================
1. Have you install the Service Pack 2 on the 2003 R2 domain controller? If
not, please install it first then check how everything works.

1. Is your domain a SBS 2003 Active Directory domain? Or it is just a
Windows Server 2003 R2 domain.

2. How the Windows Server 2008 member is connected to the 2003 R2 domain?
Is it connected via VPN back to the main site or just directly connected in
the same site.

Users Cannot Connect to a Windows Server 2003 Domain by Using a VPN
Connection
http://support.microsoft.com/default...B;EN-US;829074

3. There is similar issue in Windows 2000 Server. However, we don't need to
consider it because it is Windows 2000-based Servers.

FIX: Exchange servers fail Kerberos authentication server requests on
Windows 2000-based servers
http://support.microsoft.com/kb/888612

For your reference:

Troubleshooting Kerberos Errors
http://www.microsoft.com/technet/pro.../technologies/
security/tkerberr.mspx


Hope it helps. Also if there is anything unclear, please feel free to let
me know.


Sincerely,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Hello,

I'd like to check how things are going. Did you have the chance to try the
troubleshooting steps? If you have any other questions, please do not
hesitate to let me know. I look forward to your further updates.

Sincerely,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.