This issue occurs when Pre-Authentication for the user is enabled in Active Directory. To allow the user to log on, it needs to be deactivated.
You can disable pre-authentication on a per-user basis.
To disable pre-authentication:
- Access Active Directory Users and Computers.
- Select Do not require Kerberos preauthentication in the Account Properties tab.
For Computer accounts, such as a username that is an ESX hostname, you do not have the Do not require Kerberos preauthentication option in the Account Properties tab. In this case, you must modify the UserAccountControl attribute.
To modify the UserAccountControl attribute:
- In the domain controller, click Start > Run, type adsiedit.msc, and click OK. The ADSI Edit tool opens.
Note: The ADSI Edit tool is included with the Windows 2003 Support Tools. To install the Support Tools, run Suptools.msi located at the Support\Tools folder in the Windows 2003 Server CD-ROM.
- Locate the computer accounts DOMAIN\EXC$ under the Domain partition.
- Right-click DOMAIN\EXC$ and click Properties.
- Locate the UserAccountControl attribute in the Attributes list and click Edit.
- Modify its value to the current value plus 4194304. For example, if the current value is 512, the new value is 512 + 4194304 = 4194816.
- Click OK.
- Click Apply and then click OK.
- Quit ADSI Edit and then check if Event 675 stops for these accounts.