Pre-authentication Failed Message in Event Log

You may come across an entry in your event log’s on your domain controllers that reads something like this:

2009-05-11 11:23:13 Local0 Critical

Pre-authentication failed:

User Name: TNLT1$

User ID: %{S-1-5-21-343818398-813497703-839522115-3620}

Service Name: krbtgt/

Pre-Authentication Type: 0x0

Failure Code: 0x19

Client Address: 10.X.X.X


This appears to be common to all newer Windows operating systems that are Vista and above (including Windows 2008 Server). This from what i understand, is related to UAC and the need to do some kind of “pre authentication”. Never the less, there is a fix for this.

You will need to install the ADSI Editor on your domain controller. Once you have that installed, open up MMC (start -> run -> mmc) and add in the snap-in called “ADSI Edit”

Once you have it added to your MMC, right click on ADSI Edit, and click “Connect” and click “OK” to connect to your domain. You will then need to drill down into DC=<DOMAIN,DC=com, CN=Computers.

Here you’ll find a list of all the workstations, and servers joined to your domain. Look for the machine giving you the event log message, and right click, go to properties.

Within the attributes section, look for “userAccountControl”, and check the value. If the value is below 4194304, then simply add 4194304 to the value. For example, if the value is listed as 4096, then make it 4198400.

That’s it.

Leave a Reply

Your email address will not be published. Required fields are marked *