Event ID 680 Source Security
| Event ID | 680 |
| Source | Security |
| Type | Failure Audit |
| Description | Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: <account> Source Workstation: <workstation> Error Code: <error code>. |
| English, please! | This information is only available to subscribers. An example of English, please! |
| Concepts to understand | What is an authentication protocol? |
| Comments |
Mihai Andrei
(Last update 7/7/2008): - Error code: 0xC0000064 - See M947861 for a hotfix applicable to Microsoft Windows Server 2003. See "Dorian Support Article ID: DSC20281" for an article containing information about this event. See M919336 and M936182 for different situations in which this event occurs. Mike Leach (Last update 7/26/2007): Error code: 0xC0000064 - This error code can occur if a server is configured to Require NTLMv2 Session Security and the client either is configured to not use it or is unable to negotiate it (e.g., Altiris DOS network boot stuff). Idan (Last update 6/10/2007): This event could occur if you try to use certificate authentication with IIS and IIS fails to validate the certificate and falls back on other authentication mechanisms. The most common fallback mechanism is Integrated authentication and therefore this event is generated as the client is normally a web client and not part of the domain. Things to check with client Certificate authentication is that the server trusts the root certificate and that the server can access the Certificate revocation list published by the root certificate. Once the server will be able to authenticate the certificate, it will not attempt to use any other authentication mechanisms. Anonymous (Last update 8/17/2006): IIS 6 intranet web site with Integrated Windows Authentication was causing more than a thousand instances of this event per day, even though the site worked. There were no 403 errors in the log files for the site that could be associated with the Security 680 event. Clients were using Kerberos, which failed and caused the 680 event, then failed over to NTLM with success. I checked the IIS metabase NtAuthenticationProviders and found it was incorrectly set to "NTLM", instead of "Negotiate, NTLM", which corrected the problem. See the link to “Integrated Windows Authentication“ for more information. Larry Adams (Last update 8/13/2006): During setup for a Windows 2003 Enterprise server I used TweakUI to auto-logon the Administrator account with its password. I then changed the account name to something different. I changed the auto-logon name and password in TweakUI but did not reboot immediately. This message occurred prior to rebooting but there were no problems after the next reboot. According to M326985, 0xC0000064 means "The specified user does not exist". Apparently, some process I initiated prior to rebooting tried to use the old Administrator name and password and was denied. Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here! Justin S. (Last update 5/3/2005): - Error code: 0xC0000064 - I discovered one of our workstations had somehow managed to add a stored password (under Control Panel -> Users -> Advanced -> Manage Passwords) with the form username@domain.com. This created thousands of failure events as the user browsed our intranet. Removing the offending entries stopped the events. Ionut Marin (Last update 1/7/2005): As per MSW2KDB, a set of credentials was passed to the authentication system on this computer either by a local process or by a remote process or user. Success or failure is displayed in the message. If this event indicates success, then the credentials presented were valid. The error code is 0x0 for success messages. For failure messages, the user field in the message header displays NT AUTHORITY\SYSTEM, and an NTStatus code is displayed. Sterling Bjorndahl (Last update 10/7/2003): If this error includes Error code 0xC000006E on the WinXP side and if the Win98 side gives a popup with "Error 31" then the problem may be that the user has a blank password and the XP machine’s local security policy has disabled blank password access across the network. Go to Start -> Programs -> Administrative Tools -> Local Security Policy -> Local Policies -> Security Options. Find "Accounts: Limit local account use of blank passwords to console login only" and disable it. Adrian Florin Moisei (Last update 4/18/2003): - Error code: 0xC000006A (Error code 0xC000006A) - According to Microsoft Windows XP attempts a limited logon for each account that is displayed on the Welcome screen to determine whether to prompt the user for a password. An attempted logon is logged for each account displayed. To resolve this problem, obtain the latest service pack for Windows XP. To prevent these events from being logged, disable the Welcome screen and use the classic logon screen or turn off auditing of logon events. See M305822 for additional information about this issue. From a newsgroup: "It is possible that auto-login was enabled and then the password was changed, resulting in XP going to a login prompt to get a valid username/password." |
| Links | M305822, M326985, M919336, M936182, M947861, Error code 0xC000006A, Dorian Support Article ID: DSC20281, Integrated Windows Authentication, MSW2KDB |
| Search | Google Web - Microsoft Support - Bing - EventID.Net Queue - More links... |
| Custom search | The custom search information is available to subscribers only. |
| Feedback | Send comments - Notify me when updated |
| Print version |