I have a user who's account is locked out throughout the day daily. He only logs onto one computer each day. He's running WINXP PRO SP2. It happens a few times a day. When googling his issue, it seems that most people are having this when they issue on servers. However, he has a laptop. I will post the event viewer messages on his local machine:
Source: LSASRV
Category: SPNEGO
Type: Warning
Event ID: 40960
The Security System detected an attempted downgrade attack for server (SERVER NAME). The failure code from authentication protocol Kerberos was "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
(0xc0000234)".
Source: LSASRV
Category: SPNEGO
Type: Warning
Event ID: 40960
The Security System could not establish a secured connection with the server (SERVER NAME). No authentication protocol was available.
Those two happen for one server. Then ten minutes later it has the same 10, except this time it references a workstation.
Also have these:
Source: Kerberos
Category: none
Type: Error
Event ID: 4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server (SERVERNAME$). This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DOMAIN), and the client realm. Please contact your system administrator.
I received this one a few hours later:
Source: Kerberos
Category: none
Type: Error
Event ID: 5
The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server (SERVERNAME$). This indicates that the ticket used against that server is not yet valid (in relationship to that server time). Contact your system administrator to make sure the client and server times are in sync, and that the KDC in realm (DOMAIN) is in sync with the KDC in the client realm.
Start Free Trial
