Problems with Kerberos
|
Prev: SBS2003 + Outlook 2007 with SP2 + Vista Pro with SP2 / network save problem.
Next: Stop sbs 2008 migration - can I back out of migration?
From: yaro137 on 27 Apr 2010 10:16 To get more detailed information I enabled Kerberos logging and this is what I get: A Kerberos Error Message was received: on logon session Client Time: Server Time: 13:46:44.0000 4/27/2010 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: DOMAIN.LOCAL Server Name: host/dru001.domain.local Target Name: host/dru001.domain.local(a)DOMAIN.LOCAL Error Text: File: 9 Line: b22 Error Data is in record data. I'm getting quite a lot of these accompanied by : Pre-authentication failed: User Name: Administrator User ID: DOMAIN\Administrator Service Name: krbtgt/DOMAIN Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 127.0.0.1 and Logon Failure: Reason: Unknown user name or bad password User Name: administrator Domain: DOMAIN Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: DRU001 Caller User Name: DRU001$ Caller Domain: DOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 6240 Transited Services: - Source Network Address: 61.63.91.172 Source Port: 1706 The IP is external and has nothing to do with the client. I can't check what PID 6240 is as it doesn't exist any more. 0x18 means invalid pre-authentication usually meaning bad password. Right, so someone's trying. My question is why the firs two logs look like they were coming from the server itself. Could it be already compromised or is it something else? yaro
From: Ace Fekay [MVP - Directory Services, MCT] on 27 Apr 2010 11:34 On Tue, 27 Apr 2010 07:16:18 -0700 (PDT), yaro137 <yaro137(a)googlemail.com> wrote: >To get more detailed information I enabled Kerberos logging and this >is what I get: >A Kerberos Error Message was received: > on logon session > Client Time: > Server Time: 13:46:44.0000 4/27/2010 Z > Error Code: 0xd KDC_ERR_BADOPTION > Extended Error: 0xc00000bb KLIN(0) > Client Realm: > Client Name: > Server Realm: DOMAIN.LOCAL > Server Name: host/dru001.domain.local > Target Name: host/dru001.domain.local(a)DOMAIN.LOCAL > Error Text: > File: 9 > Line: b22 > Error Data is in record data. > > >I'm getting quite a lot of these accompanied by : > >Pre-authentication failed: > User Name: Administrator > User ID: DOMAIN\Administrator > Service Name: krbtgt/DOMAIN > Pre-Authentication Type: 0x2 > Failure Code: 0x18 > Client Address: 127.0.0.1 > >and > >Logon Failure: > Reason: Unknown user name or bad password > User Name: administrator > Domain: DOMAIN > Logon Type: 10 > Logon Process: User32 > Authentication Package: Negotiate > Workstation Name: DRU001 > Caller User Name: DRU001$ > Caller Domain: DOMAIN > Caller Logon ID: (0x0,0x3E7) > Caller Process ID: 6240 > Transited Services: - > Source Network Address: 61.63.91.172 > Source Port: 1706 > > >The IP is external and has nothing to do with the client. I can't >check what PID 6240 is as it doesn't exist any more. 0x18 means >invalid pre-authentication usually meaning bad password. Right, so >someone's trying. My question is why the firs two logs look like they >were coming from the server itself. Could it be already compromised or >is it something else? >yaro Nslookup says it's a Twaiwan name. Name: 61-63-91-host172.kbtelecom.net.tw Address: 61.63.91.172 You can also use http://www.ip2location.com to find IP locations. My suggestion is to simply block the IP, or if you don't do any business with Taiwan, deny the whole Taiwan IP block. Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
From: yaro137 on 27 Apr 2010 12:38 On 27 Apr, 16:34, "Ace Fekay [MVP - Directory Services, MCT]" <ace...(a)mvps.RemoveThisPart.org> wrote: > On Tue, 27 Apr 2010 07:16:18 -0700 (PDT), yaro137 > > > > <yaro...(a)googlemail.com> wrote: > >To get more detailed information I enabled Kerberos logging and this > >is what I get: > >A Kerberos Error Message was received: > > on logon session > > Client Time: > > Server Time: 13:46:44.0000 4/27/2010 Z > > Error Code: 0xd KDC_ERR_BADOPTION > > Extended Error: 0xc00000bb KLIN(0) > > Client Realm: > > Client Name: > > Server Realm: DOMAIN.LOCAL > > Server Name: host/dru001.domain.local > > Target Name: host/dru001.domain.lo...(a)DOMAIN.LOCAL > > Error Text: > > File: 9 > > Line: b22 > > Error Data is in record data. > > >I'm getting quite a lot of these accompanied by : > > >Pre-authentication failed: > > User Name: Administrator > > User ID: DOMAIN\Administrator > > Service Name: krbtgt/DOMAIN > > Pre-Authentication Type: 0x2 > > Failure Code: 0x18 > > Client Address: 127.0.0.1 > > >and > > >Logon Failure: > > Reason: Unknown user name or bad password > > User Name: administrator > > Domain: DOMAIN > > Logon Type: 10 > > Logon Process: User32 > > Authentication Package: Negotiate > > Workstation Name: DRU001 > > Caller User Name: DRU001$ > > Caller Domain: DOMAIN > > Caller Logon ID: (0x0,0x3E7) > > Caller Process ID: 6240 > > Transited Services: - > > Source Network Address: 61.63.91.172 > > Source Port: 1706 > > >The IP is external and has nothing to do with the client. I can't > >check what PID 6240 is as it doesn't exist any more. 0x18 means > >invalid pre-authentication usually meaning bad password. Right, so > >someone's trying. My question is why the firs two logs look like they > >were coming from the server itself. Could it be already compromised or > >is it something else? > >yaro > > Nslookup says it's a Twaiwan name. > > Name: 61-63-91-host172.kbtelecom.net.tw > Address: 61.63.91.172 > > You can also usehttp://www.ip2location.comto find IP locations. > > My suggestion is to simply block the IP, or if you don't do any > business with Taiwan, deny the whole Taiwan IP block. > > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. > > Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. > > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 > Microsoft Certified Trainer > Microsoft MVP - Directory Services > > If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comfor regional support phone numbers. It wouldn't be easy doing in IIS. Unless there is some config file I don't know of. I'm still not sure why it looks local in the first two logs. Thanks yaro
From: Ace Fekay [MVP - Directory Services, MCT] on 27 Apr 2010 21:18 On Tue, 27 Apr 2010 09:38:39 -0700 (PDT), yaro137 <yaro137(a)googlemail.com> wrote: >On 27 Apr, 16:34, "Ace Fekay [MVP - Directory Services, MCT]" ><ace...(a)mvps.RemoveThisPart.org> wrote: >> On Tue, 27 Apr 2010 07:16:18 -0700 (PDT), yaro137 >> >> >> >> <yaro...(a)googlemail.com> wrote: >> >To get more detailed information I enabled Kerberos logging and this >> >is what I get: >> >A Kerberos Error Message was received: >> > � � � � on logon session >> > Client Time: >> > Server Time: 13:46:44.0000 4/27/2010 Z >> > Error Code: 0xd KDC_ERR_BADOPTION >> > Extended Error: 0xc00000bb KLIN(0) >> > Client Realm: >> > Client Name: >> > Server Realm: DOMAIN.LOCAL >> > Server Name: host/dru001.domain.local >> > Target Name: host/dru001.domain.lo...(a)DOMAIN.LOCAL >> > Error Text: >> > File: 9 >> > Line: b22 >> > Error Data is in record data. >> >> >I'm getting quite a lot of these accompanied by : >> >> >Pre-authentication failed: >> > � �User Name: � � �Administrator >> > � �User ID: � � � � � � � �DOMAIN\Administrator >> > � �Service Name: � krbtgt/DOMAIN >> > � �Pre-Authentication Type: � � � �0x2 >> > � �Failure Code: � 0x18 >> > � �Client Address: 127.0.0.1 >> >> >and >> >> >Logon Failure: >> > � �Reason: � � � � Unknown user name or bad password >> > � �User Name: � � �administrator >> > � �Domain: � � � � DOMAIN >> > � �Logon Type: � � 10 >> > � �Logon Process: �User32 >> > � �Authentication Package: Negotiate >> > � �Workstation Name: � � � DRU001 >> > � �Caller User Name: � � � DRU001$ >> > � �Caller Domain: �DOMAIN >> > � �Caller Logon ID: � � � �(0x0,0x3E7) >> > � �Caller Process ID: � � �6240 >> > � �Transited Services: � � - >> > � �Source Network Address: 61.63.91.172 >> > � �Source Port: � �1706 >> >> >The IP is external and has nothing to do with the client. I can't >> >check what PID 6240 is as it doesn't exist any more. 0x18 means >> >invalid pre-authentication usually meaning bad password. Right, so >> >someone's trying. My question is why the firs two logs look like they >> >were coming from the server itself. Could it be already compromised or >> >is it something else? >> >yaro >> >> Nslookup says it's a Twaiwan name. >> >> Name: � �61-63-91-host172.kbtelecom.net.tw >> Address: �61.63.91.172 >> >> You can also usehttp://www.ip2location.comto find IP locations. >> >> My suggestion is to simply block the IP, or if you don't do any >> business with Taiwan, deny the whole Taiwan IP block. >> >> Ace >> >> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. >> >> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. >> >> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 >> Microsoft Certified Trainer >> Microsoft MVP - Directory Services >> >> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comfor regional support phone numbers. > >It wouldn't be easy doing in IIS. Unless there is some config file I >don't know of. I'm still not sure why it looks local in the first two >logs. Thanks >yaro I don't remnember if you have SBS 2003 or 2008. If 2003, go into ESM, Protocols, SMTP, Default Virtual Server properties, second tab, access, and block the IP in there. In ASBS 2008, it's in the Server, Transport, Receive Connector. Ace
From: yaro137 on 28 Apr 2010 04:16
On 28 Apr, 02:18, "Ace Fekay [MVP - Directory Services, MCT]" <ace...(a)mvps.RemoveThisPart.org> wrote: > On Tue, 27 Apr 2010 09:38:39 -0700 (PDT), yaro137 > > > > <yaro...(a)googlemail.com> wrote: > >On 27 Apr, 16:34, "Ace Fekay [MVP - Directory Services, MCT]" > ><ace...(a)mvps.RemoveThisPart.org> wrote: > >> On Tue, 27 Apr 2010 07:16:18 -0700 (PDT), yaro137 > > >> <yaro...(a)googlemail.com> wrote: > >> >To get more detailed information I enabled Kerberos logging and this > >> >is what I get: > >> >A Kerberos Error Message was received: > >> > on logon session > >> > Client Time: > >> > Server Time: 13:46:44.0000 4/27/2010 Z > >> > Error Code: 0xd KDC_ERR_BADOPTION > >> > Extended Error: 0xc00000bb KLIN(0) > >> > Client Realm: > >> > Client Name: > >> > Server Realm: DOMAIN.LOCAL > >> > Server Name: host/dru001.domain.local > >> > Target Name: host/dru001.domain.lo...(a)DOMAIN.LOCAL > >> > Error Text: > >> > File: 9 > >> > Line: b22 > >> > Error Data is in record data. > > >> >I'm getting quite a lot of these accompanied by : > > >> >Pre-authentication failed: > >> > User Name: Administrator > >> > User ID: DOMAIN\Administrator > >> > Service Name: krbtgt/DOMAIN > >> > Pre-Authentication Type: 0x2 > >> > Failure Code: 0x18 > >> > Client Address: 127.0.0.1 > > >> >and > > >> >Logon Failure: > >> > Reason: Unknown user name or bad password > >> > User Name: administrator > >> > Domain: DOMAIN > >> > Logon Type: 10 > >> > Logon Process: User32 > >> > Authentication Package: Negotiate > >> > Workstation Name: DRU001 > >> > Caller User Name: DRU001$ > >> > Caller Domain: DOMAIN > >> > Caller Logon ID: (0x0,0x3E7) > >> > Caller Process ID: 6240 > >> > Transited Services: - > >> > Source Network Address: 61.63.91.172 > >> > Source Port: 1706 > > >> >The IP is external and has nothing to do with the client. I can't > >> >check what PID 6240 is as it doesn't exist any more. 0x18 means > >> >invalid pre-authentication usually meaning bad password. Right, so > >> >someone's trying. My question is why the firs two logs look like they > >> >were coming from the server itself. Could it be already compromised or > >> >is it something else? > >> >yaro > > >> Nslookup says it's a Twaiwan name. > > >> Name: 61-63-91-host172.kbtelecom.net.tw > >> Address: 61.63.91.172 > > >> You can also usehttp://www.ip2location.comtofind IP locations. > > >> My suggestion is to simply block the IP, or if you don't do any > >> business with Taiwan, deny the whole Taiwan IP block. > > >> Ace > > >> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. > > >> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.. > > >> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 > >> Microsoft Certified Trainer > >> Microsoft MVP - Directory Services > > >> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please checkhttp://support.microsoft..comforregional support phone numbers. > > >It wouldn't be easy doing in IIS. Unless there is some config file I > >don't know of. I'm still not sure why it looks local in the first two > >logs. Thanks > >yaro > > I don't remnember if you have SBS 2003 or 2008. If 2003, go into ESM, > Protocols, SMTP, Default Virtual Server properties, second tab, > access, and block the IP in there. In ASBS 2008, it's in the Server, > Transport, Receive Connector. > > Ace It's 2003 in this case :) and yes, that's where you block an IP address but I was rather hoping to find a way to block a whole block of IP addresses rather than just a couple of them. Yesterday was that one, probably tomorrow it will be another one. Is there a way to block like whole country? If say I wanted to block China and Russia it won't even be one block of addresses but quite a lot of them. Thanks yaro |