Windows 7 Causes 675 0x19 Security Errors in Windows 2003 Domain

I had this issue with Vista and now it has returned with Windows 7. I got some good advice in the Microsoft Partner Newsgroup and wanted to pass it along.

After adding a Windows 7 machine to a Windows Server 2003 R2 domain, I started getting lots of 675 errors in the server’s Security Event Log.

The errors occur on both the computer account, when the machine starts:

Event Type:    Failure Audit
Event Source:    Security
Event Category:    Account Logon
Event ID:    675
User:        NT AUTHORITY\SYSTEM
Description:
Pre-authentication failed:
     User Name:    DESKTOP01$
     User ID:        DOMAIN01\DESKTOP01$
     Service Name:    krbtgt/domain01.local
     Pre-Authentication Type:    0x0
     Failure Code:    0x19
     Client Address:    192.168.1.4

and on the user account, when a user logs on:

Pre-authentication failed:
     User Name:    User01
     User ID:        DOMAIN01\User01
     Service Name:    krbtgt/DOMAIN01
     Pre-Authentication Type:    0x0
     Failure Code:    0x19
     Client Address:    192.168.1.4

New Encryption in Vista and Windows 7

Microsoft’s Sherry Jia provided the following information:

Actually, the event id is caused by the AES (Advanced Encryption Standard), a Kerberos enhancement introduced in Windows Vista and Windows server 2008 which is not understood by Windows 2003 Domain Controllers (DC). The Windows server 2003 use the 3DES as encryption standard.

The clients will not experience any authentication failure since the Vista client will fall back to 3DES encryption standard for authentication.

In a subsequent post, Sherry corrected this info to clarify that by default, Windows Server 2003 uses RC4-HMAC encryption, not 3DES, by default:

Windows system mainly supports following encryption types:

DES-CBC-CRC 0x1
DES-CBC-MD5 0x3
RC4-HMAC 0x17
AES (0x12) is supported in windows 2008

The default pre-authentication encryption type for win2000, win2003, winxp, vista is RC4-HMAC. Please refer to the below article.

Kerberos Authentication Tools and Settings
http://technet.microsoft.com/en-us/library/cc738673(WS.10).aspx

(For the full story on RC4-HMAC, see The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows.)

Change the Default Encryption in the Registry

The workaround is to create a new registry value on the Window 7 machine that tells Windows 7 to use RC4-HMAC encryption for authentication from the start. This prevents the errors caused by the initial attempt using AES:

HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Parameters
Value Name = DefaultEncryptionType
Type = Reg_DWORD
Value Data = 0x17(23)

Once that is done, you should no longer see the 675 0x19 errors on the server from the Windows 7 machine.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.