krbtgt failure code 0x12

[Guest]

I apologize if this is in the wrong group. Since the revamping of the
newsgroups, I have no clue where to post this since this is actually
happening on a Windows 2003 domain running in native mode.

I have one user who generates about nine of these messages in a matter of
seconds several times a day. Every time this happens, her account is locked
out because she has exceeded the maximum number of bad logon attempts. If
this were happening at logon time, that would be ok, but this happens
throughout the day while she is logged into the network which results in her
losing access to network resources until her account is unlocked manually or
unlocks by itself when the lockout duration is reached and her account
unlocks. Any ideas what might be causing this and why?

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 11/18/2004
Time: 10:14:00 AM
User: NT AUTHORITY\SYSTEM
Computer: [DC1]
Description:
Pre-authentication failed:
User Name: Username
User ID: [MYDOMAIN]\Username
Service Name: krbtgt/[MYDOMAIN].LOCAL
Pre-Authentication Type: 0x2
Failure Code: 0x12
Client Address: www.xxx.yyy.zzz

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[Steven L Umbach]

Ask her if she has changed her password recently. This can often be caused
by old user credentials being used from a user still logged onto another
computer with old credentials - possibly terminal server, or a service,
Scheduled Task, mapped drive, stored credentials [XP], or application using
the users old credentials. The link below will help. Depending on the case
you may need to track down the computer using her old/wrong credentials or
find out what process on her computer is trying to use her credentials. I
would also make a routine scan of the computer for malware. ALockout.dll
can help identify the process on a computer using a users credentials.
Correlate the times in the log for ALockout.dll to failed logons. --- Steve

http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
http://tinyurl.com/68qbj -- same link shorter. Netlogon logging can track
the computer down causing the failed logon attempts as explained in the
white paper in the link.

 

[Guest]

Thanks for the help. It took a while, but I did track it down to being
logged onto two computers and not logging off and back on to one of them
after a password change. I was going nuts the past week or two trying to
figure out which service or program on her usual computer was causing the
problem which was my instinct. Sadly, ALockout.dll didn't produce anything
useful in troubleshooting this problem, but now I have another tool in my
arsenal for the future.

Thanks again,
Keith

 

[Steven L Umbach]

OK. Glad you got it sorted out. I have found that netlogon logging on domain
controllers such as the pdc fsmo can help as it traces back to the computer
that initiated the failed logon. --- Steve

Thanks for the help. It took a while, but I did track it down to being
logged onto two computers and not logging off and back on to one of them
after a password change. I was going nuts the past week or two trying to
figure out which service or program on her usual computer was causing the
problem which was my instinct. Sadly, ALockout.dll didn't produce
anything
useful in troubleshooting this problem, but now I have another tool in my
arsenal for the future.

Thanks again,
Keith

Ask her if she has changed her password recently. This can often be
caused
by old user credentials being used from a user still logged onto another
computer with old credentials - possibly terminal server, or a service,
Scheduled Task, mapped drive, stored credentials [XP], or application
using
the users old credentials. The link below will help. Depending on the
case
you may need to track down the computer using her old/wrong credentials
or
find out what process on her computer is trying to use her credentials. I
would also make a routine scan of the computer for malware. ALockout.dll
can help identify the process on a computer using a users credentials.
Correlate the times in the log for ALockout.dll to failed logons. ---
Steve

http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
http://tinyurl.com/68qbj -- same link shorter. Netlogon logging can
track
the computer down causing the failed logon attempts as explained in the
white paper in the link.