Event ID 676

[djc]

Source: Security
Category: Account Logon
Authentication Ticket Request Failed:
User Name: smithly
Supplied Realm Name: HELLER.COM
Service Name: krbtgt/HELLER.COM
Ticket Options: 0x40810010
Failure Code: 0x12
Client Address: 10.10.100.100

according to the info I found on this failure code (12), this event is
because of a time of day or workstation restriction. This would seem to make
sense because the client address listed is a server that this user would not
have the log on locally user right assigned for.

Is this correct, this is telling me that smithly has attemped to logon to
10.10.100.100?

 

[Steven L Umbach]

That would seem to be the case. Failure code 0x12 can be a variety of reasons but not
having the user right for access could certainly be one. Below is a list of items I
found on a MS doc. --- Steve

0x12 - KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked
Associated internal Windows error codes
. STATUS_ACCOUNT_DISABLED

. STATUS_ACCOUNT_EXPIRED

. STATUS_ACCOUNT_LOCKED_OUT

. STATUS_ACCOUNT_DISABLED

. STATUS_INVALID_LOGON_HOURS

. STATUS_LOGIN_TIME_RESTRICTION

. STATUS_LOGIN_WKSTA_RESTRICTION

. STATUS_ACCOUNT_RESTRICTION

 

[djc]

thanks for the reply. I think where I am confused is the client address.. I
am expecting it to be 'from where' the logon was attempted... like the
user's workstation name... but that address is a domain controller? actually
I just double-checked and some of these events are from domain controller
addresses and some are from client workstations? I am confused. I know the
users don't have physical access to the servers so thats out. I suppose
terminal services logon attempts could generate this? I'm just not sure how
to interprets these security auditing events.

 

[Mark-Allen]

Check: http://www.eventid.net/display.asp?eventid=676&source=

maybe this will help.

--
Mark-Allen Perry
ALPHA Systems, Switzerland
mark-allen AT mvps DOT org

thanks for the reply. I think where I am confused is the client address.. I
am expecting it to be 'from where' the logon was attempted... like the
user's workstation name... but that address is a domain controller? actually
I just double-checked and some of these events are from domain controller
addresses and some are from client workstations? I am confused. I know the
users don't have physical access to the servers so thats out. I suppose
terminal services logon attempts could generate this? I'm just not sure how
to interprets these security auditing events.

 

[Steven L Umbach]

If you enable logon events for failure on your Domain Controller Security Policy it
may give you more useable information including logon type. Logon type 2 would be
console or TS while logon 3 would be network attempt to access a share. --- Steve

http://www.microsoft.com/resources/...wsserv/2003/datacenter/proddocs/en-us/518.asp
-- almost all applies to W2K also.

 

[Anubis]

Check out the DC that is listed, you should then find the corresponding
event there with the workstation IP address listed. I have also would that
Kerberos ticket error 12 can be caused by users being in too many groups. We
found this problem when trying to access EMC NAS devices.