I've recently added a few Windows 2008 servers to my Windows 2003 domain. Now my domain controllers are periodically posting Security event ID 675 for the Windows 2008 boxes (only and all of the Win2k8 boxes):
Pre-authentication failed:
User Name: MY2008SERVER$
User ID: MYDOMAIN\MY2008SERVER$
Service Name: krbtgt/MYDOMAIN.LOCAL
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.2.1.32
According to Microsoft, that failure code means "Additional pre-auth required." As nedm noted, the actual RFC says 0x19 means "Server credentials revoked." Logon auditing yielded no useful information. Time is properly synced.
I've found a number of similar reports on the web and the only answer I've seen so far is to set the "Don't require Kerberos pre-auth flag" via ADSIEdit.
This is fine as a workaround, but I don't want to have to do this for every 2008 server I deploy. Any idea where this is coming from? How to fix it for real?
Best Answer
0x19 corresponds to 19 in hex notation which is 25 in decimal: "Additional pre-authentication required*"