Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Event 672 is repeatedly logged in the Domain Controller Security Event Log of InterScan Web security Virtual Appliance (IWSVA) 5.6

    • Updated:
    • 21 Dec 2015
    • Product/Version:
    • InterScan Web Security Virtual Appliance 5.6
    • Platform:
    • N/A N/A
Summary

The following Pre-Authentication Failure events are seen logged every few seconds in the Security Event Viewer Log - Event ID 672:

Pre-authentication failed:
User Name: user
User ID: %{S-1-5-21-1515894698-2064606462-2977944764-1116}
Service Name: krbtgt/DOMAIN.LOCAL
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.0.0.10
Name:  AD Account Can't Logon - Account Doesn't Exist
Description:  Authentication Ticket Request:
User Name: 
Supplied Realm Name: DOMAIN.LOCAL
User ID:   -
Service Name:  user/DOMAIN.LOCAL
Service ID:  -
Ticket Options:  0x10
Result Code:  0x6
Ticket Encryption Type: -
Pre-Authentication Type: -
Client Address:  10.0.0.10
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Active Directory 2003 is used and it has been confirmed that the LDAP connection is successful.

Details
Public

The following errors are found in the IWSVA logs:

2009/01/01 15:01:42 GMT+08:00 <12574:12574> LDAP server returned result code 85 (Timed out), This server is down or timeout, or operation interrupted by signal
2009/01/01 15:01:42 GMT+08:00 <12574:12574> Error: LDAP module failed to get Root DSE, please check whether ldap hostname is valid
2009/01/01 15:01:42 GMT+08:00 <12574:12574> Error: Netscape LDAP CSDK: Failed to get Root DSE
2009/01/01 15:01:42 GMT+08:00 <12574:12574> No Of Connections Requested 5, No Of Connections Created:1
2009/01/01 15:01:42 GMT+08:00 <12574:12574> Warning: Could not allocated the requested LDAP connection
2009/01/01 15:43:09 GMT+08:00 <4090:4095> Direct to Advanced Authentication mode
2009/01/01 15:43:09 GMT+08:00 <4092:4113> LDAP Connection Pool, Get 0x109075D0
2009/01/01 15:43:09 GMT+08:00 <4092:4113> LDAP server returned result code 81 (Can't contact LDAP server), This server is down or timeout, or operation interrupted by signal
2009/01/01 15:43:09 GMT+08:00 <4092:4113> IWSSLDAPMonitorThread: LDAP connection is unavailable for some reason, maybe slow network and overtaxed LDAP server
2009/01/01 15:43:09 GMT+08:00 <4092:4113> Refreshing LDAP Connections

The packet captures show that the Active Directory is expecting something from IWSVA because it returns KRB error, "KRB5KDC _ERR_PREAUTH_REQUIRED". These Event IDs are normal and the issue is related to pre-authentication. The AD server will always record and event for "pre-authentication required" so these events can be safely ignored.

For additional information on this normal Kerberos authentication process, refer to the following article: KRB5KDC_ERR_PREAUTH_REQUIRED.

If you prefer that these events are not logged, you can disable pre-authentication for the administrator account used by IWSVA as a workaround. To disable pre-authentication on the Active Directory:

  1. Go to the property of the admin account.
  2. Click the Account tab.
  3. Under the Account options section, select the Do not require Kerberos preauthentication option.

If you are using IWSVA 5.0, you can install Patch 1. This patch will have IWSVA perform pre-authentication directly without having to negotiate with the LDAP server to the encryption method. The "Failure Audit" Security Event Log will no longer occur in the Active Directory. After applying Patch 1, enable Pre-Authentication:

  1. Look for and open the intscan.ini file.
  2. Add the following key under the [LDAP-Setting] section:

    [LDAP-Setting]
    direct_preauth=yes

  3. Save and close the file.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1056217
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.