MCB Systems » aes http://www.mcbsys.com/techblog Custom Software and I.T. Services Sat, 04 Feb 2012 17:53:10 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 Windows 7 Causes 675 0×19 Security Errors in Windows 2003 Domain http://www.mcbsys.com/techblog/2009/12/windows-7-causes-675-0x19-security-errors-in-windows-2003-domain/ http://www.mcbsys.com/techblog/2009/12/windows-7-causes-675-0x19-security-errors-in-windows-2003-domain/#comments Tue, 29 Dec 2009 17:53:53 +0000 Mark Berry /mark/post/Windows-7-Causes-675-0x19-Security-Errors-in-Windows-2003-Domain.aspx I had this issue with Vista and now it has returned with Windows 7. I got some good advice in the Microsoft Partner Newsgroup and wanted to pass it along.

After adding a Windows 7 machine to a Windows Server 2003 R2 domain, I started getting lots of 675 errors in the server’s Security Event Log.

The errors occur on both the computer account, when the machine starts:

Event Type:    Failure Audit
Event Source:    Security
Event Category:    Account Logon
Event ID:    675
User:        NT AUTHORITY\SYSTEM
Description:
Pre-authentication failed:
     User Name:    DESKTOP01$
     User ID:        DOMAIN01\DESKTOP01$
     Service Name:    krbtgt/domain01.local
     Pre-Authentication Type:    0×0
     Failure Code:    0×19
     Client Address:    192.168.1.4

and on the user account, when a user logs on:

Pre-authentication failed:
     User Name:    User01
     User ID:        DOMAIN01\User01
     Service Name:    krbtgt/DOMAIN01
     Pre-Authentication Type:    0×0
     Failure Code:    0×19
     Client Address:    192.168.1.4

New Encryption in Vista and Windows 7

Microsoft’s Sherry Jia provided the following information:

Actually, the event id is caused by the AES (Advanced Encryption Standard), a Kerberos enhancement introduced in Windows Vista and Windows server 2008 which is not understood by Windows 2003 Domain Controllers (DC). The Windows server 2003 use the 3DES as encryption standard.

The clients will not experience any authentication failure since the Vista client will fall back to 3DES encryption standard for authentication.

In a subsequent post, Sherry corrected this info to clarify that by default, Windows Server 2003 uses RC4-HMAC encryption, not 3DES, by default:

Windows system mainly supports following encryption types:

DES-CBC-CRC 0×1
DES-CBC-MD5 0×3
RC4-HMAC 0×17
AES (0×12) is supported in windows 2008

The default pre-authentication encryption type for win2000, win2003, winxp, vista is RC4-HMAC. Please refer to the below article.

Kerberos Authentication Tools and Settings
http://technet.microsoft.com/en-us/library/cc738673(WS.10).aspx

(For the full story on RC4-HMAC, see The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows.)

Change the Default Encryption in the Registry

The workaround is to create a new registry value on the Window 7 machine that tells Windows 7 to use RC4-HMAC encryption for authentication from the start. This prevents the errors caused by the initial attempt using AES:

HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Parameters
Value Name = DefaultEncryptionType
Type = Reg_DWORD
Value Data = 0×17(23)

Once that is done, you should no longer see the 675 0×19 errors on the server from the Windows 7 machine.

]]> http://www.mcbsys.com/techblog/2009/12/windows-7-causes-675-0x19-security-errors-in-windows-2003-domain/feed/ 0