2009/01/01 15:01:42 GMT+08:00 <12574:12574> LDAP server returned result code 85 (Timed out), This server is down or timeout, or operation interrupted by signal
2009/01/01 15:01:42 GMT+08:00 <12574:12574> Error: LDAP module failed to get Root DSE, please check whether ldap hostname is valid
2009/01/01 15:01:42 GMT+08:00 <12574:12574> Error: Netscape LDAP CSDK: Failed to get Root DSE
2009/01/01 15:01:42 GMT+08:00 <12574:12574> No Of Connections Requested 5, No Of Connections Created:1
2009/01/01 15:01:42 GMT+08:00 <12574:12574> Warning: Could not allocated the requested LDAP connection

2009/01/01 15:43:09 GMT+08:00 <4090:4095> Direct to Advanced Authentication mode
2009/01/01 15:43:09 GMT+08:00 <4092:4113> LDAP Connection Pool, Get 0x109075D0
2009/01/01 15:43:09 GMT+08:00 <4092:4113> LDAP server returned result code 81 (Can't contact LDAP server), This server is down or timeout, or operation interrupted by signal
2009/01/01 15:43:09 GMT+08:00 <4092:4113> IWSSLDAPMonitorThread: LDAP connection is unavailable for some reason, maybe slow network and overtaxed LDAP server
2009/01/01 15:43:09 GMT+08:00 <4092:4113> Refreshing LDAP Connections

Event 672 is repeatedly logged in the Domain Controller Security Event Log of InterScan Web security Virtual Appliance (IWSVA) 5.6

Product / Version includes:

Interscan Web Security Virtual ApplianceAll

Last updated: 2021/08/28

Solution ID: KA-0001508

Category: Configure , Troubleshoot

Summary

The following Pre-Authentication Failure events are seen logged every few seconds in the Security Event Viewer Log - Event ID 672:

Pre-authentication failed:
User Name: user
User ID: %{S-1-5-21-1515894698-2064606462-2977944764-1116}
Service Name: krbtgt/DOMAIN.LOCAL
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.0.0.10

Name:  AD Account Can't Logon - Account Doesn't Exist
Description:  Authentication Ticket Request:
User Name: 
Supplied Realm Name: DOMAIN.LOCAL
User ID:   -
Service Name:  user/DOMAIN.LOCAL
Service ID:  -
Ticket Options:  0x10
Result Code:  0x6
Ticket Encryption Type: -
Pre-Authentication Type: -
Client Address:  10.0.0.10
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Active Directory 2003 is used and it has been confirmed that the LDAP connection is successful.

The following errors are found in the IWSVA logs:

2009/01/01 15:01:42 GMT+08:00 <12574:12574> LDAP server returned result code 85 (Timed out), This server is down or timeout, or operation interrupted by signal
2009/01/01 15:01:42 GMT+08:00 <12574:12574> Error: LDAP module failed to get Root DSE, please check whether ldap hostname is valid
2009/01/01 15:01:42 GMT+08:00 <12574:12574> Error: Netscape LDAP CSDK: Failed to get Root DSE
2009/01/01 15:01:42 GMT+08:00 <12574:12574> No Of Connections Requested 5, No Of Connections Created:1
2009/01/01 15:01:42 GMT+08:00 <12574:12574> Warning: Could not allocated the requested LDAP connection

2009/01/01 15:43:09 GMT+08:00 <4090:4095> Direct to Advanced Authentication mode
2009/01/01 15:43:09 GMT+08:00 <4092:4113> LDAP Connection Pool, Get 0x109075D0
2009/01/01 15:43:09 GMT+08:00 <4092:4113> LDAP server returned result code 81 (Can't contact LDAP server), This server is down or timeout, or operation interrupted by signal
2009/01/01 15:43:09 GMT+08:00 <4092:4113> IWSSLDAPMonitorThread: LDAP connection is unavailable for some reason, maybe slow network and overtaxed LDAP server
2009/01/01 15:43:09 GMT+08:00 <4092:4113> Refreshing LDAP Connections

The packet captures show that the Active Directory is expecting something from IWSVA because it returns KRB error, "KRB5KDC _ERR_PREAUTH_REQUIRED". These Event IDs are normal and the issue is related to pre-authentication. The AD server will always record and event for "pre-authentication required" so these events can be safely ignored.

For additional information on this normal Kerberos authentication process, refer to the following article: KRB5KDC_ERR_PREAUTH_REQUIRED.

If you prefer that these events are not logged, you can disable pre-authentication for the administrator account used by IWSVA as a workaround. To disable pre-authentication on the Active Directory:

Go to the property of the admin account.
Click the Account tab.
Under the Account options section, select the Do not require Kerberos preauthentication option.

If you are using IWSVA 5.0, you can install Patch 1. This patch will have IWSVA perform pre-authentication directly without having to negotiate with the LDAP server to the encryption method. The "Failure Audit" Security Event Log will no longer occur in the Active Directory. After applying Patch 1, enable Pre-Authentication:

Look for and open the intscan.ini file.
Add the following key under the [LDAP-Setting] section:
[LDAP-Setting]
direct_preauth=yes
Save and close the file.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Event 672 is repeatedly logged in the Domain Controller Security Event Log of InterScan Web security Virtual Appliance (IWSVA) 5.6

Event 672 is repeatedly logged in the Domain Controller Security Event Log of InterScan Web security Virtual Appliance (IWSVA) 5.6

Product / Version includes:

Summary