Question : Event ID 673 appears randomly in security log

Hi folks

I'm reposting this as I didn't get any response last time and I'm hoping that was just because the right expert didn't see it.

I've had a look at previous posts about this but none seem to fit what I have happenning, in that there is no user, machine or process identified, making it very difficult for me to identify the source of the problem:

Event Type:     Failure Audit
Event Source:     Security
Event Category:     Account Logon
Event ID:     673
Date:          07/04/2006
Time:          09:56:47
User:          NT AUTHORITY\SYSTEM
Computer:     AML-SERVER
Description:
Service Ticket Request:
      User Name:          
      User Domain:          
      Service Name:          
      Service ID:          -
      Ticket Options:          0x2
      Ticket Encryption Type:     -
      Client Address:          192.168.1.18
      Failure Code:          0x20
      Logon GUID:          -
      Transited Services:     -


The IP address shown is not allocated to any device.  All IP addresses on the network are fixed and are above 192.168.1.100, except for 192.168.1.19 which is reserved by DHCP for VPN.

The IP address displayed in the error changes but is always in the range 192.168.1.14 - 192.168.1.21.

The event also seems to be entirely random, it's frequency varying between several times in the same minute to once in two days and I can't see any process reporting to event logs which may be causing this.

Any suggestions, please?

Answer : Event ID 673 appears randomly in security log

Well, I took a look at some of the logs for the many SBS's that I manage and I have plenty of those errors... i've always assumed that it's just a Kerberos ticket expiring.  It's not really a security issue unless you have a failed logon attempt with an actual user name.

Jeff
TechSoEasy
Random Solutions  
 
programming4us programming4us