question

CalvinC-6453 avatar image
0 Votes"
CalvinC-6453 asked DaisyZhou-MSFT answered

old user accounts tried to authenticate on new Exchange 2013

Just upgraded the Exchange 2010 to 2013 and everything seems to be functional as expected. However, we started to get some failed logon events on the new Exchange 2013 with the error, "Client not found in Kerberos database: wrong username, or new computer/user account has not replicated to DC yet.". Those accounts are older than 15 years old and of course no longer in our AD. I could not locate them in ADSI either. I don't think there's any devices out there with their credentials trying to connect.

Any suggestion is appreciated!

Thanks
Calvin

windows-server
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Were any new DCs introduced? Smells like replication errors

0 Votes 0 ·

Andy,

No new DCs have been set up in the past 1 year and did not have this issue till Exchange 2013 was added recently.

0 Votes 0 ·

@CalvinC-6453

Based on the error message, this issue more related with AD side. I helped you change the tag to "Window Server". Window server engineers will continue to work on this case later.

0 Votes 0 ·

Ok Thanks Kyle

0 Votes 0 ·

Hello @CalvinC-6453,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered

Well, I guess an extension of that is perhaps this has been going on awhile but the 2013 server is just surfacing the issue.
Might be worth checking:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/information-lingering-objects#method-2-monitor-replication-by-using-a-command-line-command

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @CalvinC-6453,

Thank you for posting here.

Would you please tell us what event ID with error message "Client not found in Kerberos database: wrong username, or new computer/user account has not replicated to DC yet."? Is it event ID 4625?

If no, please configure audit group policy via local group policy on this Exchange server.

Legacy audit policy:
Computer Configuration\Windows settings\security settings\local policies\audit policy
Audit Logon Events – Failure

Or use advanced audit policies (advanced audit policies will overwrite all legacy audit policies by default):
Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration

Logon/Logoff:
Audit Account Lockout – Failure
Audit Logon – Failure


Note:
If you have never configured any advanced audit policy before, then you configure the legacy audit policy.
If you have configured any advanced audit policy before, then you have configured the advanced audit policy.


We can run the following commands to force the refresh policy and check whether the related audit policy settings are enabled:

gpupdate /force
auditpol /get /category:*


After that, when the issue reoccurs, please check the Event ID 4625 in Security log on this Exchange server.

Check if you can find what account and from which machine (source machine) accessed this Exchange server.

Then you can try to look for the account from the source machine.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CalvinC-6453 avatar image
0 Votes"
CalvinC-6453 answered CalvinC-6453 commented

Hi Daisy,

Thanks for the reply. The event ID is 4768 and please see the details below. The IP 192.168.100.113 is our Exchange 2013 recently added. DC-01 is our domain controller.


Message : A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: yinfo@ourdomain.com Supplied Realm Name: ourdomain.local User ID: S-1-0-0 Service Information: Service Name: krbtgt/ourdomain.local Service ID: S-1-0-0 Network Information: Client Address: ::ffff:192.168.100.113 Client Port: 11694 Additional Information: Ticket Options: 0x40810010 Result Code: 0x6 Ticket Encryption Type: 0xffffffff Pre-Authentication Type: - Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

Time : 2021-06-09 02:00:13

Device : DC-01

 Event ID : 4768

 Severity : failure

 Type : Security

 Source : Microsoft-Windows-Security-Auditing

 Username : yinfo

 Task Category : Kerberos Authentication Service

 Common Report Name : Successful User Account Validation

 LogType : Windows

 User Principal Name : -

 Logon Type : -

 Workstation Name : -

 Logon Hours : -

 DisplayName : DC-01

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @CalvinC-6453,

Thank you for your update.

Did you see Event ID 4768 on one Domain Controller or new Exchange server?

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Daisy,'

IThe event ID 4768s are found on one DC only and nothing on the new Exchange server. Thanks.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @CalvinC-6453,

I am so glad to receive your reply.

So I assume your domain name is ourdomain.local, but the account is yinfo@ourdomain.com, right?

If so, please check if the account yinfo@ourdomain.com is one any DC (if you have multiple DCs, pleas check on every DC) and check if the account yinfo@ourdomain.com is on the New Exchange server.


Tip: You can check the account yinfo or yinfo@ourdomain.com or ourdomain\yinfo when checking.

If there is indeed such account, you can delete/remove the account (if you do not need the account).


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CalvinC-6453 avatar image
0 Votes"
CalvinC-6453 answered

Hi Daisy,

Still the same issue and I could not locate any account on DC or Exchange 2013. Here is what I got from my SEIM.

Message : A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Yinfo@domain.com Supplied Realm Name: domain.local User ID: S-1-0-0 Service Information: Service Name: krbtgt/domain.local Service ID: S-1-0-0 Network Information: Client Address: ::ffff:192.168.100.113 Client Port: 20777 Additional Information: Ticket Options: 0x40810010 Result Code: 0x6 Ticket Encryption Type: 0xFFFFFFFF Pre-Authentication Type: - Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
Time : 2021-06-12 02:48:29 Device : DC-03 Event ID : 4768 Severity : failure Type : Security Source : Microsoft-Windows-Security-Auditing Username : Yinfo Task Category : Kerberos Authentication Service Common Report Name : Successful User Account Validation LogType : Windows User Principal Name : - Logon Type : - Workstation Name : - Logon Hours : - DisplayName : DC-03

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered CalvinC-6453 commented

Hello @CalvinC-6453,

I am so glad to receive your reply.

After further discussion with my senior engineer, our suggestion is as below:

We understand the question like this, Exchange server can not authenticate the account Yinfo@domain.com, so Exchange server passed the account (Yinfo@domain.com Supplied Realm Name: domain.local) to the domain controller to authenticate.

But the the User Principal Name (Yinfo@domain.com Supplied Realm Name: domain.local) is not in the domain, so all DCs can not authenticate this account, either.

You need to look for which machine (maybe one domain user are using this account on his/her client, or this account is binded to one domain user account) passed the account Yinfo@domain.com to Exchange server through Exchange log or some other informain on Exchange server.

At last, if you find out this account on one client, then delete/remove this account on his/her machine.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Daisy,

Thanks for the reply. The issue is those accounts are like over 15 years old so I don't think they are still somehow or somewhere trying to authenticate. In addition, we did not have these activities at all till Exchange 2013 was added to our domain last month. Since I cannot locate them in Active Directory or ADSI, is there another way to search those accounts? Thanks again!

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @CalvinC-6453,

Thank you for your update.

I mainly focus on the issue or problem about AD, as you mentioned the accounts are not in the AD domain. Maybe they are on Exchange server, you can try the suggestion above (I am not an expert on Exchange).

I’m trying my best to help you, and I hope you can find these accounts as soon as possible, but I am sorry, I can’t think of other ways to find these accounts at the moment.

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.