The error event 675 with 0X19 error code indicates:
0×19 – KDC_ERR_PREAUTH_REQUIRED: Additional pre-authentication required In domain environment, Kerberos is the default authentication protocol.
In Kerberos Authentication protocol implemented in Windows, Pre-authentication is required by default. However, sometimes, clients may not include the pre-authentication data in first communication with KDC (the AS_REQ).
As a result, KDC returns an error to inform client that Pre-Authentication is required, and then an event ID 675 with the error 0×19 is recorded on KDC.
Meanwhile, please set the flag “Do not require pre-authentication” for the problematic account EXC$, to configure the system to not require pre-authentication. For user accounts, we can enable this flag in User Properties.
For computer account, we should modify the attribute UserAccountControl via the following steps:
1. On the domain controller, click Start, click Run, type in “adsiedit.msc” (without the quotation marks) and press ENTER to launch ADSI Edit tool.
This tool is included with the Windows 2003 Support Tools. To install the Support Tools, run Suptools.msi from the Support\Tools folder on the Windows 2003 Server CD-ROM.
2. Locate the computer accounts DOMAIN\EXC$ under the Domain partition.
3. Right-click on “DOMAIN\EXC$”, click Properties.
4. Then locate the attribute “UserAccountControl” in the Attributes list. Click Edit.
5. Modify the value to original value plus 4194304. For example, if the original value is 512, the new value should be 512+4194304=4194816
6. Click OK, click Apply, and click OK.
7. Quit ADSI Edit. Then you can check if the event 675 stops for these accounts.
For more information about UserAccountControl attribute, you can refer to the following article:
How to use the UserAccountControl flags to manipulate user account properties http://support.microsoft.com/kb/305144