Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

EventID.Net Documents

Event ID 677

By Adrian Grigorof, based on findings of Peter J. Persing and others

The Security Event ID 677 (Failure Audit) is generated by the Kerberos Service Ticket Service. Kerberos is used by Windows 2000 Active Directory for authentication and is supposed to replace the old Windows NT security architecture. Typically there are 2 types of 677 events: with Failure code 7 and with Failure code 32 (see the table below for a more detailed list of potential failure codes). Let's analyze the two most common codes, 7 and 32!

Failure code 7

Any Kerberos-compliant software will try first to use Kerberos in order to obtain access to various servers or applications and usually if such access fails they will try an NT-compliant access (using NT authentication). So typically, a Kerberos-compliant application willing to access let's say SERVER1 will interrogate the Kerberos Distribution Center server for the Service Principal Name (SPN) of SERVER1. Kerberos-compliant application will register their SPN with a KDC but applications like MS SQL 7.0 won't. As a consequence, the KDC is not able to resolve the SPN for the MS SQL 7.0 server and a 677 event with Failure Code 7 is generated.


Service Ticket Request Failed: User Name: sql_service User Domain: CORPORATE.NET Service Name: MSSQLSvc/SERVER1.CORPORATE.NET:1433 Ticket Options: 0x40810010 Failure Code: 7 Client Address:

This event may be generated by various services that are trying to authenticate through a Kerberos Service Ticket. Between the services reporting such errors are: IIS, SQL, DNS, Exchange 5.5, etc... When instead of a user name, a COMPUTERNAME$ is listed, that means that it is the System account that failed to obtain a Kerberos service ticket. Microsoft Knowledgebase has an article documenting the occurrence of event 677 when ADC (Active Directory Connector) is trying to connect to an Exchange 5.5 server. See Q281431 - XADM: Logon Failure Event ID 677 with Exchange Server 5.5 and Active Directory Connector

A combined environment, Windows 2000, Windows NT / 98 with Active Directory running on mixed mode may cause the occurrence of such events as NT/Win98 machines are trying to connect to a Win2000 machine and fail because NT and Windows 9x are not Kerberos-aware.

Another source of 677 messages are improper DNS configurations. Typically, they would occur when the NetBIOS name of the server is different from the DNS host name. For example, we see these events on domain controllers with the source machine of the event being, the LOCALHOST which probably is not recognized as a valid SPN. We suspect that this might be the case when these event occur in a "native" Windows 2000 Active Directory environment (supposedly 100% Kerberos compatible).

By disabling NetBIOS over TCP/IP on the Windows 2000 Domain Controller performing the role of the PDC, some of these events may be eliminated and this action should not affect Windows 2000 AD environments running in "native" mode.

Failure code 32

The problem in this case is in the Kerberos ticket expiration. It appears that Windows 2000 just keeps renewing tickets until it fails because of expiration and then gets a new one. If this is correct, then the 677 failure code 32 errors are "normal" events that one cannot prevent without disabling the auditing for Failure Audits.

* * *

The failure codes reported by these events come directly from the Kerberos RFC 1510. These codes may help with the identification of what caused the error.




No error


Client's entry in database has expired


Server's entry in database has expired


Requested protocol version number not supported


Client's key encrypted in old master key


Server's key encrypted in old master key


Client not found in Kerberos database


Server not found in Kerberos database


Multiple principal entries in database


The client or server has a null key


Ticket not eligible for postdating


Requested start time is later than end time


KDC policy rejects request


KDC cannot accommodate requested option


KDC has no support for encryption type


KDC has no support for checksum type


KDC has no support for padata type


KDC has no support for transited type


Clients credentials have been revoked


Credentials for server have been revoked


TGT has been revoked


Client not yet valid - try again later


Server not yet valid - try again later


Password has expired - change password to reset


Pre-authentication information was invalid


Additional pre-authentication required


Integrity check on decrypted field failed


Ticket expired


Ticket not yet valid


Request is a replay


The ticket isn't for us


Ticket and authenticator don't match


Clock skew too great


Incorrect net address


Protocol version mismatch


Invalid msg type


Message stream modified


Message out of order


Specified version of key is not available


Service key not available


Mutual authentication failed


Incorrect message direction


Alternative authentication method required


Incorrect sequence number in message


Inappropriate type of checksum in message


Generic error (description in e-text)


Field is too long for this implementation

Additional information, links, postings:

RFC 1510 - The Kerberos Network Authentication Service (V5)

MSDN - Kerberos in Win2K

Technet - Kerberos Explained

A posting from Microsoft (May 17, 2001) :

"The following event ID can occur under two situations if your Windows 2000 Dynamic Domain Name Server (DDNS) server is configured to accept only secure updates and a non-secure update is received:

Event Type: Failure Audit
Event Source: Security

Event Category: Account Logon

Event ID: 677



The two situations which cause this behavior are:

1. A DDNS client attempts an update to the zone without negotiating a secure connection.
2. Another DDNS server attempts a zone transfer without negotiating a secure connection.

When a Windows 2000 DNS server is configured for Active Directory Integration there are three options for Allowing Dynamic Updates:

1. Yes
2. No
3. Only secure updates

By setting a zone to only allow secure updates, you cannot receive them from any non-secure client.


To resolve this issue:

1. Start the DNS snap-in.
2. Double click the "Forward Lookup Zones" and the "Reverse Lookup Zones" if they are configured.
3. Right click the zone you would like to configure and choose properties.
4. Choose the general tab.
5. In the Allow dynamic update drop down list select Yes.
6. Choose ok.


This behavior is by design


The DNS server for Windows 2000 will send and accept dynamic updates if it is configured to do so. It can also send and accept secure updates. Secure updates are currently only supported between Windows 2000 clients and Windows 2000 servers.

Additionally, if while running DCPROMO you allowed the wizard to set up the DNS zones for the Active Directory, they default to "Only Secure Updates". These will need to be changed before exchanging dynamic updates with supported third party DDNS servers.

This behavior is due to the type of authentication used by Windows 2000 to allow secure updates. There are several different IETF drafts available for this authentication but a standard has not yet been defined. As a result, there are currently no third party DDNS servers which support the same method of authentication for secure updates."

* * *

Disclaimer: The information on this article simply reflects my interpretation of the 677 events and it may not be entirely accurate. It is not endorsed by Microsoft or any Microsoft affiliates.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.