Critical Error in Security Log
Biometrics, configuration, DataCenter, Desktops, Digital certificates, Identity & Access Management, Management, Microsoft Systems Management Server, Microsoft Windows, OS, Patch management, patching, PEN testing, Platform Security, provisioning, Security, Security tokens, Servers, Single sign-on, Software, SQL Server, Tech support, vulnerability management
All,
I mamange a Windows 2003 Small Business Server Network with 9 clients. The server provides all network services. We use Logon/logoff, shared storage, and print server functions. We do not use exchange except for the server reporting tool. We do use about 4 instances of SQL. All clients are Windows XP Professional patched to current standards.
I continually get an error in the security log about a Service ticket request failed. Event ID is 673. It gives the IP of the machine, the ticket options as 0x2, and the failure code as 0x20. The number of failures can range from 3 to 8 in a day for the machines in question.
After some research, it looks like a ticket expiration problem. However, I only get this error on 3 of the 9 machines constantly. All machines are used every day. Most access a network resource every day. The other machines may generate this error once or twice a month. I am concerned that there is a configuration problem with the 3 machines.
I have followed several basic troubleshooting recommendations from Microsoft KB and a few other sources. Nothing helps or describes to me the difference between the 3 machines and the rest.
Any recommendations for either fixing or understanding the difference in the error reports? Thanks for the help.
Software/Hardware used:
Software/Hardware used:
ASKED:
December 28, 2006 7:08 AM
UPDATED:
December 28, 2006 5:51 PM
Answer Wiki:
Account Logon Event Type 673
0x20 - KRB_AP_ERR_TKT_EXPIRED: Ticket expired
Associated internal Windows error codes
? STATUS_TIME_DIFFERENCE_AT_DC
Corresponding debug output messages
? DebugLog(?Trying to renew a ticket past its renew timen?)
? DebugLog(?Trying to renew an expired ticketn?)
Possible Cause and Resolution
? The smaller the value for the Maximum lifetime for user ticket Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message.
Resolution
To change the Maximum lifetime for user ticket setting:
1. Click Start, click All Programs, click Administrative Tools, and then click Domain Security Policy.
2. Click Accounts Policies, and then click Kerberos Policy.
3. Increase the value for Maximum lifetime for user ticket.
4. Run gpupdate /force on any client computer on which you want this policy change to take effect immediately.
I hope it will help you.
To see all answers submitted to the Answer Wiki: View Answer History.
shlomo58,
Thanks for the response. I found the same article at Microsoft. I saw the time difference issue and made sure time was correct. I have less than 30 seconds difference at any 1 machine and the server. I have seen several articles that say just to ignore the error if the machine has access to the network resources it requires.
I guess my bigger question is that since this is a domain policy, all machines should be set to the same ticket maximum life. Why are 3 machines giving several errors a day and the other 6 only getting a couple of errors per month? I am not at the network now, but I am assuming that this policy is set by default for the domain(not one of the ones that is disabled by default).
I would start by asking; Did you use the setup wizards when you configured your SBS or did you set your server up based on your experience with plain-jane servers? Did you use the connectcomputer wizard to join your workstations to the SBS?
If you feel confident that you set the SBS correctly with using the wizards, then I would follow Randy Franklin Smith?s recommendations from his website http://www.ultimatewindowssecurity.com/ where he states ?Kerberos tickets do expire, and servers cause most such events because they remain up for weeks and months at a time. To confirm that your numbers were normal, I compared them to the ticket expirations on a customer’s network. That network is about a quarter the size of yours, and after quadrupling the number of ticket expirations logged on my customer’s domain controllers (DCs) over roughly two months, I came up with 28,620. It’s not practical to manually analyze the Windows Security log, and you don’t have to treat each event in the log as an actionable item?there’s lots of noise in the Security log that you must filter out. I think you can safely assume your failed event ID 673s are such noise.?
Best regards
dmw
dwiebesick, thanks. During the SBS 2000 install, I used the wizards. Then I upgraded to SBS 2003. Then I completed a swing migration of hardware via the SBSMigrate procedure. There could be a lot of things changed in those 3 processes. From the numbers you quoted, I seem to have a relatively small number of reports. My 10 machines are averaging about 200 total per month. Thanks again for the help.