pre-authentication failure from Win 7 machines on Win 2003 SP 2 DC

**CZ1070** · 15-03-2012

Hello all,

Since a few months, I'm constantly getting my account (which has admin rights) locked out in Active Directory. When looking in the event viewer of the DC's, it seems to be caused by pre-authentication failures with my user originating from multiple machines. The constant seems to be that they are all Windows 7 Pro SP1 machines that I have configured. (All copied from the same image). Also, it started when I changed my password. So, logically, it must be stored somewhere in Windows 7 and not be updated.

The failure is:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 15/03/2012
Time: 16:05:24
User: NT AUTHORITY\SYSTEM
Computer: [DC_Name]
Description:
Pre-authentication failed:
User Name: my_user
User ID: DOMAIN\my_user
Service Name: krbtgt/[DOMAIN]
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: [CLIENT_IP_ADDRESS]

At first glance, these seem to occur at completely random moments and intervals.

I have already tried analyzing it with EventCombMT and LockOutStatus tools.

Thanks for any hints that help me solve this annoying problem.

Brgds,

CZ

**EINSTEIN_007** · 15-03-2012

Pre-authentication can fail in environments where Vista/7/Server 2008/R2 systems are deployed within a 2003 Forest Functional Level (or below) AD domain. This is because the accounts first attempt AES Kerberos encryption, fail and then fall back to RC4-HMAC. DES encryption types are disabled by default on Vista+ systems. In our case, this error was fixed by updating the password for the credentials DHCP used for its DNS Dynamic updates registration.

**CZ1070** · 16-03-2012

Hello Einstein_007,

Thanks for your reply. Our domain is at a 2003 Forest functional level. Would you mind clarifying some things for me, because this matter is quite new to me?

- Shouldn't other users be affected by this also, then?
- Isn't it strange that it only started to happen after I changed my password?
- How/Where can I find the password DHCP uses and update it?

Are there other solutions for this problem? Would introducing a 2008 R2 DC help?

Thanks in advance for your help.

Brgds,

CZ