We log many 673 events daily on our domain controllers (DCs). Most don't have a username. Here's a typical example:
Host: DELL1600
Log: Security
Type: FailureAudit
Date: 03/29/2006 23:59:59
Source: Security
Category: Account Logon
Event ID: 673
Username: NT AUTHORITY\SYSTEM
Message: Service Ticket Request:
User Name:
User Domain:
Service Name:
Service ID: -
Ticket Options: 0x2
Ticket Encryption Type: --
Client Address: 192.168.21.205
Failure Code: 0x20
Logon GUID: --
How should we respond to these events?
Failure code 0x20 (37 in decimal) indicates an expired ticket, which is a typical Kerberos operation. Kerberos tickets have an initial renewal lifetime and a total lifetime after which renewals fail and the client must obtain a new ticket. You can ignore Kerberos failures that are due to ticket expiration. In fact, I recommend filtering these events from your central log database if you have an agent-based event log management system. For a list of security log management solutions go to http://www.ultimate windowssecurity.com/soft.html
