Domain login taking loads of attempts

Vertigo · 30 Jul 2015 at 07:53

Got a really weird problem which seems to strike different users at random times.

When it happens, it takes a huge number of attempts to login to the domain. I just had it myself this morning, took me several minutes and probably 30-40 attempts before I logged in. The password was correct before anyone suggests that - it's just the authentication failed.

Anyone had this or got any ideas?

Vertigo · 30 Jul 2015 at 13:23

It happens to a few users at random, most are unaffected. When it happened to me yesterday I couldn't RDP into any server using my account but other accounts were fine, suggesting it's not the local machine at all but rather the DC.

Fairly basic network with a primary and backup DC (both W2003 and both due for replacement very soon). Had a look in the logs on the DC and there were no failure audits recorded for the numerous attempts this morning.

Vertigo · 30 Jul 2015 at 21:48

Ta for all the suggestions, tbh I'm not sure whether to spend time trying to track it down or just get the DCs replaced pronto.

Vertigo · 31 Jul 2015 at 08:38

Well it happened again this morning. Interestingly, the failure audits were on what I consider to be the "backup" DC rather than the primary, although I appreciate the concept of PDC and BDC went out with NT.

The audit was event id 675, "pre-authentication failed" with an error code of 0x19. Googling seems to suggest this might be an encryption issue with Kerberos. Windows 7 obviously defaults to a more recent encryption system than is supported by the 2003 DC but should fall back. Perhaps it's not doing so for some reason? Found a registry setting for the client which is supposed to force it to use compatible encryption, will see if that works.

Regards the DC & AD, yeah I do need to do some checking to make sure it's all actually healthy before migrating to 2012 R2.

Vertigo · 31 Jul 2015 at 10:36

I've checked both DCs with a full DCDIAG run and no issues reported at all, which is a relief at least! REPADMIN also reports nothing out of whack.

Vertigo · 13 Aug 2015 at 09:35

For the record it was the issue I described above and the registry change seems to have cured it.

The 7 client is attempting to use AES encryption but the 2003DC doesn't support it. For whatever reason, sometimes it fails to fall-back to a supported encryption type and the authentication fails. The registry change fixes the issue.

It does seem to be only one of the DCs and only some machines at some times. It's bizarre. None of my checks have revealed any issues with this DC.

Vertigo · 13 Aug 2015 at 15:41

Nope, just the two 2003 DCs, although the plan is to migrate to 2012 R2 very soon so worth bearing in mind.