I am having trouble figuring out what is causing massive audit failures on a server 2008 system.
the event id is 4771
Account Name: Administrator
Service Name: krbtgt/DOMAIN.NAME
Client Address: ::1
Client Port: 0
Pre-Authentication Type: 2
The log happens in about 5 minute intervals and atleast 30 failure events are recorded.
It seems to be coming from the local machine and is a kerberos authenticaiton issue but I am not sure how to track down / correct the problem.
Services on the machine:
DNS
Active Directory
DHCP
WSUS
VIPRE enterprise
I have checked all scheduled tasks on the system and everything seems fine. I checked the Password on VIPRE and WSUS for invalid passwords. Not sure what is going on.
Thanks.
ADDITION: This event log appears on both my primary and secondary DC...
TargetUserName Administrator
TargetSid S-1-5-21-2134851818-3285922005-2538191131-500
ServiceName krbtgt/JEWELS.LOCAL
TicketOptions 0x40810010
Status 0x18
PreAuthType 2
IpAddress ::1
IpPort 0
CertIssuerName
CertSerialNumber
CertThumbprint
Process is LSASS.EXE..
Finally Figured this out, for anyone who has a similar issue here was my solution:
The server was also a DHCP server. Under the IPv4 properties, the DNS dynamic updates registration credentials had the administrative account saved with the wrong password. Changing the saved password seems to have corrected my issues.