Problems with Kerberos
|
Prev: SBS2003 + Outlook 2007 with SP2 + Vista Pro with SP2 / network save problem.
Next: Stop sbs 2008 migration - can I back out of migration?
From: Larry Struckmeyer[SBS-MVP] on 28 Apr 2010 07:19 Yaro: "I was rather hoping to find a way to block a whole block of IP addresses rather than just a couple of them." Most easily done in a quality edge device.... ISA, Watchguard, Sonicwall and so on. - Larry Please post the resolution to your issue so others may benefit - Get Your SBS Health Check at www.sbsbpa.com > On 28 Apr, 02:18, "Ace Fekay [MVP - Directory Services, MCT]" > <ace...(a)mvps.RemoveThisPart.org> wrote: > >> On Tue, 27 Apr 2010 09:38:39 -0700 (PDT), yaro137 >> >> <yaro...(a)googlemail.com> wrote: >> >>> On 27 Apr, 16:34, "Ace Fekay [MVP - Directory Services, MCT]" >>> <ace...(a)mvps.RemoveThisPart.org> wrote: >>> >>>> On Tue, 27 Apr 2010 07:16:18 -0700 (PDT), yaro137 >>>> >>>> <yaro...(a)googlemail.com> wrote: >>>> >>>>> To get more detailed information I enabled Kerberos logging and >>>>> this >>>>> is what I get: >>>>> A Kerberos Error Message was received: >>>>> on logon session >>>>> Client Time: >>>>> Server Time: 13:46:44.0000 4/27/2010 Z >>>>> Error Code: 0xd KDC_ERR_BADOPTION >>>>> Extended Error: 0xc00000bb KLIN(0) >>>>> Client Realm: >>>>> Client Name: >>>>> Server Realm: DOMAIN.LOCAL >>>>> Server Name: host/dru001.domain.local >>>>> Target Name: host/dru001.domain.lo...(a)DOMAIN.LOCAL >>>>> Error Text: >>>>> File: 9 >>>>> Line: b22 >>>>> Error Data is in record data. >>>>> I'm getting quite a lot of these accompanied by : >>>>> >>>>> Pre-authentication failed: >>>>> User Name: Administrator >>>>> User ID: DOMAIN\Administrator >>>>> Service Name: krbtgt/DOMAIN >>>>> Pre-Authentication Type: 0x2 >>>>> Failure Code: 0x18 >>>>> Client Address: 127.0.0.1 >>>>> and >>>>> >>>>> Logon Failure: >>>>> Reason: Unknown user name or bad password >>>>> User Name: administrator >>>>> Domain: DOMAIN >>>>> Logon Type: 10 >>>>> Logon Process: User32 >>>>> Authentication Package: Negotiate >>>>> Workstation Name: DRU001 >>>>> Caller User Name: DRU001$ >>>>> Caller Domain: DOMAIN >>>>> Caller Logon ID: (0x0,0x3E7) >>>>> Caller Process ID: 6240 >>>>> Transited Services: - >>>>> Source Network Address: 61.63.91.172 >>>>> Source Port: 1706 >>>>> The IP is external and has nothing to do with the client. I can't >>>>> check what PID 6240 is as it doesn't exist any more. 0x18 means >>>>> invalid pre-authentication usually meaning bad password. Right, so >>>>> someone's trying. My question is why the firs two logs look like >>>>> they >>>>> were coming from the server itself. Could it be already >>>>> compromised or >>>>> is it something else? >>>>> yaro >>>> Nslookup says it's a Twaiwan name. >>>> >>>> Name: 61-63-91-host172.kbtelecom.net.tw >>>> Address: 61.63.91.172 >>>> You can also usehttp://www.ip2location.comtofind IP locations. >>>> >>>> My suggestion is to simply block the IP, or if you don't do any >>>> business with Taiwan, deny the whole Taiwan IP block. >>>> >>>> Ace >>>> >>>> This posting is provided "AS-IS" with no warranties or guarantees >>>> and confers no rights. >>>> >>>> Please reply back to the newsgroup or forum for collaboration >>>> benefit among responding engineers, and to help others benefit from >>>> your resolution. >>>> >>>> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, >>>> MCSE & MCSA 2003/2000, MCSA Messaging 2003 >>>> >>>> Microsoft Certified Trainer >>>> >>>> Microsoft MVP - Directory Services >>>> >>>> If you feel this is an urgent issue and require immediate >>>> assistance, please contact Microsoft PSS directly. Please >>>> checkhttp://support.microsoft.comforregional support phone numbers. >>>> >>> It wouldn't be easy doing in IIS. Unless there is some config file I >>> don't know of. I'm still not sure why it looks local in the first >>> two >>> logs. Thanks >>> yaro >> I don't remnember if you have SBS 2003 or 2008. If 2003, go into ESM, >> Protocols, SMTP, Default Virtual Server properties, second tab, >> access, and block the IP in there. In ASBS 2008, it's in the Server, >> Transport, Receive Connector. >> >> Ace >> > It's 2003 in this case :) and yes, that's where you block an IP > address but I was rather hoping to find a way to block a whole block > of IP addresses rather than just a couple of them. Yesterday was that > one, probably tomorrow it will be another one. Is there a way to block > like whole country? If say I wanted to block China and Russia it won't > even be one block of addresses but quite a lot of them. Thanks > yaro
From: Ace Fekay [MVP - Directory Services, MCT] on 28 Apr 2010 09:22 On Wed, 28 Apr 2010 01:16:44 -0700 (PDT), yaro137 <yaro137(a)googlemail.com> wrote: >On 28 Apr, 02:18, "Ace Fekay [MVP - Directory Services, MCT]" ><ace...(a)mvps.RemoveThisPart.org> wrote: >> On Tue, 27 Apr 2010 09:38:39 -0700 (PDT), yaro137 >> >> >> >> <yaro...(a)googlemail.com> wrote: >> >On 27 Apr, 16:34, "Ace Fekay [MVP - Directory Services, MCT]" >> ><ace...(a)mvps.RemoveThisPart.org> wrote: >> >> On Tue, 27 Apr 2010 07:16:18 -0700 (PDT), yaro137 >> >> >> <yaro...(a)googlemail.com> wrote: >> >> >To get more detailed information I enabled Kerberos logging and this >> >> >is what I get: >> >> >A Kerberos Error Message was received: >> >> > � � � � on logon session >> >> > Client Time: >> >> > Server Time: 13:46:44.0000 4/27/2010 Z >> >> > Error Code: 0xd KDC_ERR_BADOPTION >> >> > Extended Error: 0xc00000bb KLIN(0) >> >> > Client Realm: >> >> > Client Name: >> >> > Server Realm: DOMAIN.LOCAL >> >> > Server Name: host/dru001.domain.local >> >> > Target Name: host/dru001.domain.lo...(a)DOMAIN.LOCAL >> >> > Error Text: >> >> > File: 9 >> >> > Line: b22 >> >> > Error Data is in record data. >> >> >> >I'm getting quite a lot of these accompanied by : >> >> >> >Pre-authentication failed: >> >> > � �User Name: � � �Administrator >> >> > � �User ID: � � � � � � � �DOMAIN\Administrator >> >> > � �Service Name: � krbtgt/DOMAIN >> >> > � �Pre-Authentication Type: � � � �0x2 >> >> > � �Failure Code: � 0x18 >> >> > � �Client Address: 127.0.0.1 >> >> >> >and >> >> >> >Logon Failure: >> >> > � �Reason: � � � � Unknown user name or bad password >> >> > � �User Name: � � �administrator >> >> > � �Domain: � � � � DOMAIN >> >> > � �Logon Type: � � 10 >> >> > � �Logon Process: �User32 >> >> > � �Authentication Package: Negotiate >> >> > � �Workstation Name: � � � DRU001 >> >> > � �Caller User Name: � � � DRU001$ >> >> > � �Caller Domain: �DOMAIN >> >> > � �Caller Logon ID: � � � �(0x0,0x3E7) >> >> > � �Caller Process ID: � � �6240 >> >> > � �Transited Services: � � - >> >> > � �Source Network Address: 61.63.91.172 >> >> > � �Source Port: � �1706 >> >> >> >The IP is external and has nothing to do with the client. I can't >> >> >check what PID 6240 is as it doesn't exist any more. 0x18 means >> >> >invalid pre-authentication usually meaning bad password. Right, so >> >> >someone's trying. My question is why the firs two logs look like they >> >> >were coming from the server itself. Could it be already compromised or >> >> >is it something else? >> >> >yaro >> >> >> Nslookup says it's a Twaiwan name. >> >> >> Name: � �61-63-91-host172.kbtelecom.net.tw >> >> Address: �61.63.91.172 >> >> >> You can also usehttp://www.ip2location.comtofind IP locations. >> >> >> My suggestion is to simply block the IP, or if you don't do any >> >> business with Taiwan, deny the whole Taiwan IP block. >> >> >> Ace >> >> >> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. >> >> >> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. >> >> >> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 >> >> Microsoft Certified Trainer >> >> Microsoft MVP - Directory Services >> >> >> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comforregional support phone numbers. >> >> >It wouldn't be easy doing in IIS. Unless there is some config file I >> >don't know of. I'm still not sure why it looks local in the first two >> >logs. Thanks >> >yaro >> >> I don't remnember if you have SBS 2003 or 2008. If 2003, go into ESM, >> Protocols, SMTP, Default Virtual Server properties, second tab, >> access, and block the IP in there. In ASBS 2008, it's in the Server, >> Transport, Receive Connector. >> >> Ace > >It's 2003 in this case :) and yes, that's where you block an IP >address but I was rather hoping to find a way to block a whole block >of IP addresses rather than just a couple of them. Yesterday was that >one, probably tomorrow it will be another one. Is there a way to block >like whole country? If say I wanted to block China and Russia it won't >even be one block of addresses but quite a lot of them. Thanks >yaro You can actually do it in there, but I second Larry's suggestion. If you want, take a look at this site. This is way too much to entry and overwhelm the SMTP service, but it gives you an idea of what's in store to do something like this. http://www.countryipblocks.net/ Ace
From: yaro137 on 28 Apr 2010 12:05
On 28 Apr, 14:22, "Ace Fekay [MVP - Directory Services, MCT]" <ace...(a)mvps.RemoveThisPart.org> wrote: > On Wed, 28 Apr 2010 01:16:44 -0700 (PDT), yaro137 > > > > <yaro...(a)googlemail.com> wrote: > >On 28 Apr, 02:18, "Ace Fekay [MVP - Directory Services, MCT]" > ><ace...(a)mvps.RemoveThisPart.org> wrote: > >> On Tue, 27 Apr 2010 09:38:39 -0700 (PDT), yaro137 > > >> <yaro...(a)googlemail.com> wrote: > >> >On 27 Apr, 16:34, "Ace Fekay [MVP - Directory Services, MCT]" > >> ><ace...(a)mvps.RemoveThisPart.org> wrote: > >> >> On Tue, 27 Apr 2010 07:16:18 -0700 (PDT), yaro137 > > >> >> <yaro...(a)googlemail.com> wrote: > >> >> >To get more detailed information I enabled Kerberos logging and this > >> >> >is what I get: > >> >> >A Kerberos Error Message was received: > >> >> > on logon session > >> >> > Client Time: > >> >> > Server Time: 13:46:44.0000 4/27/2010 Z > >> >> > Error Code: 0xd KDC_ERR_BADOPTION > >> >> > Extended Error: 0xc00000bb KLIN(0) > >> >> > Client Realm: > >> >> > Client Name: > >> >> > Server Realm: DOMAIN.LOCAL > >> >> > Server Name: host/dru001.domain.local > >> >> > Target Name: host/dru001.domain.lo...(a)DOMAIN.LOCAL > >> >> > Error Text: > >> >> > File: 9 > >> >> > Line: b22 > >> >> > Error Data is in record data. > > >> >> >I'm getting quite a lot of these accompanied by : > > >> >> >Pre-authentication failed: > >> >> > User Name: Administrator > >> >> > User ID: DOMAIN\Administrator > >> >> > Service Name: krbtgt/DOMAIN > >> >> > Pre-Authentication Type: 0x2 > >> >> > Failure Code: 0x18 > >> >> > Client Address: 127.0.0.1 > > >> >> >and > > >> >> >Logon Failure: > >> >> > Reason: Unknown user name or bad password > >> >> > User Name: administrator > >> >> > Domain: DOMAIN > >> >> > Logon Type: 10 > >> >> > Logon Process: User32 > >> >> > Authentication Package: Negotiate > >> >> > Workstation Name: DRU001 > >> >> > Caller User Name: DRU001$ > >> >> > Caller Domain: DOMAIN > >> >> > Caller Logon ID: (0x0,0x3E7) > >> >> > Caller Process ID: 6240 > >> >> > Transited Services: - > >> >> > Source Network Address: 61.63.91.172 > >> >> > Source Port: 1706 > > >> >> >The IP is external and has nothing to do with the client. I can't > >> >> >check what PID 6240 is as it doesn't exist any more. 0x18 means > >> >> >invalid pre-authentication usually meaning bad password. Right, so > >> >> >someone's trying. My question is why the firs two logs look like they > >> >> >were coming from the server itself. Could it be already compromised or > >> >> >is it something else? > >> >> >yaro > > >> >> Nslookup says it's a Twaiwan name. > > >> >> Name: 61-63-91-host172.kbtelecom.net.tw > >> >> Address: 61.63.91.172 > > >> >> You can also usehttp://www.ip2location.comtofindIP locations. > > >> >> My suggestion is to simply block the IP, or if you don't do any > >> >> business with Taiwan, deny the whole Taiwan IP block. > > >> >> Ace > > >> >> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. > > >> >> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. > > >> >> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 > >> >> Microsoft Certified Trainer > >> >> Microsoft MVP - Directory Services > > >> >> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comforregionalsupport phone numbers. > > >> >It wouldn't be easy doing in IIS. Unless there is some config file I > >> >don't know of. I'm still not sure why it looks local in the first two > >> >logs. Thanks > >> >yaro > > >> I don't remnember if you have SBS 2003 or 2008. If 2003, go into ESM, > >> Protocols, SMTP, Default Virtual Server properties, second tab, > >> access, and block the IP in there. In ASBS 2008, it's in the Server, > >> Transport, Receive Connector. > > >> Ace > > >It's 2003 in this case :) and yes, that's where you block an IP > >address but I was rather hoping to find a way to block a whole block > >of IP addresses rather than just a couple of them. Yesterday was that > >one, probably tomorrow it will be another one. Is there a way to block > >like whole country? If say I wanted to block China and Russia it won't > >even be one block of addresses but quite a lot of them. Thanks > >yaro > > You can actually do it in there, but I second Larry's suggestion. > > If you want, take a look at this site. This is way too much to entry > and overwhelm the SMTP service, but it gives you an idea of what's in > store to do something like this.http://www.countryipblocks.net/ > > Ace Yeah, fair enough. Thanks guys yaro |