Solved

SBS Domain user logon failing repeatedly causing account lockout

Posted on 2007-04-10
17
4,289 Views
Last Modified: 2012-05-05
Our primary domain controller is Windows Small Business Server 2003. We have a user whose account is frequently getting locked out. When I look in our Domain Controller's event log I see the following two security events occuring every 10 seconds like clockwork:

Event 680, Account Logon.
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      USERNAME (of the user that keeps getting locked out)
 Source Workstation:      OURDOMAINCONTROLLER (The name of this machine, our primary DC)
 Error Code:      0xC000006A

Event 529, Logon/Logoff
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:                            USERNAME (same username, the one getting locked out.)
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      OURDOMAINCONTROLLER
       Caller User Name:      OURDOMAINCONTROLLER$
       Caller Domain:      OURDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      5268                (note: this is the process ID for store.exe)
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

After enough of these failed logins, apparently the account gets locked out. The process ID above leads me to believe this is somehow related to Exchange (store.exe). Here is what we have tried so far:

-We have completely turned off the user's machine and disconnected it from the network.
-We have had the user sit at the DC console and explicity set their password in active directory.
-The user does not work remotely or use any mobile devices to authenticate to our domain.
-We have restarted the Exchange services on our Domain Controller / Exchange Server
-We have completely rebooted the Domain Controller / Exchange Server.

Any further ideas what could be causing this?

Thank you,
Ben
0
Comment
Question by:benbecker
17 Comments
 
LVL 16

Expert Comment

by:glenn_1984
ID: 18884024
0
 
LVL 1

Author Comment

by:benbecker
ID: 18884184
Thanks for the links, I checked them both out, but I don't think they apply necessarily. The user is logged into our domain on her Windows XP Pro client machine, so there should be no issue with unknown or untrusted domain. The second link had a lot of good information about lockout policies in general, but I did not see anything that would explain this behavior.

As mentioned above, the "Source workstation" in the event log error is the Domain Controller itself, and furthermore the failed logins continue, at 10 second intervals, even when the client machine is completely disconnected and powered off. So whatever is repeatedly attempting this bad authentication seems to be on the Domain Controller machine itself.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18886467
Please see my answer in this Question for the solution to your issue:  http:Q_22471975.html


Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:benbecker
ID: 18925123
TechSoEasy, thanks for the suggestion. We followed the instructions from the article: http://support.microsoft.com/?id=325850

We stopped and disabled the Kerberos Key Distribution Center service on our primary domain controller, and then rebooted. Upon rebooting, ran the command:
netdom resetpwd /s:server /ud:domain\User /pd:*

It prompts for the user password, which we enter and then get this message:
"The machine account password for the local machine could not be reset.
Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.
The command failed to complete successfully"

Any further ideas?

Thanks
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18925243
Setting the KDC to "disabled" is not what the article instructs you to do.  You need to set it to Manual.

Furthermore, you should be logging in using the Built-in Administrator Account for this task and be sure that there are no shared drive mappings currently configured on the server.

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:benbecker
ID: 18925736
Sorry, typo in haste there, we did set it to Manual.

I can try those other two things. Also, does it matter that we have a secondary domain controller that is also running. Do we need to do anything on that machine as well?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18935397
Yeah, it most certainly does matter.  Read that KB article on how to simultaneously reset the password on multiple DC's.  (ie, netdom resetpwd /s:server2 /ud:mydomain\administrator /pd:*)

Jeff
TechSoEasy
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Expert Comment

by:beckerben
ID: 18936210
So where do you run this command, server1 or server2 or both?  Does the kerberos server need to be shutdown on both of them?
0
 
LVL 1

Author Comment

by:benbecker
ID: 19033637
Jeff, We're still unclear after reading the article.  Are we issuing this command on DC1 to update DC2 or do we shutdown DC2, then issue this command on DC1?  Please advise.  if both of them need to be re-synced using net dom, do we issue them for each DC?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 19214442
Sorry, I must have missed your last reply since it was so long after the initial issue.

If you have not yet resolved this...  the command would be run on DC1, with DC2 running.  However, if there are mapped drives configured on that server you need to disconnect them.  (as well as any other mapped drives on any other machines in your network which have been shared using the same user account -- most likely the Administrator account -- that's what's meant by "disconnect all previous...")

If you have login scripts that map drives using the Administrator account's credentials, that's a pretty bad practice.

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:benbecker
ID: 19216486
we ended up removing the user, deleting the exchange mailbox and adding the user back, however the problem dissappeared for about 20 minutes, and then it was back, invalid login attempts for this user.  We were able to run these procedures here as well and they did not work.  so we ended up just removing this user from the system, coming oup with a different username for them and the problem is solved, not necessarily in the ideal way, but we already vested way more time in this than we should have. thank you for your assistance.
0
 

Accepted Solution

by:
AnnieMod earned 0 total points
ID: 19388362
PAQed with points refunded (500)

AnnieMod
Cleanup Admin
0
 

Expert Comment

by:log138
ID: 23444960
Just researched and tested: Failed POP3 logins on SBS2003 will generate this error!!!

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            1/22/2009
Time:            3:33:57 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SBS2003
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      administrator
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SBS2003
       Caller User Name:      SBS2003$
       Caller Domain:      N*****K
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      5036 (store.exe)
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
0
 
LVL 1

Expert Comment

by:zequestioner
ID: 26315758
We are having the same problem here with multiple users. Accounts randomly lock out. We have reset the passwords, made sure no drives were mapped locally, and made sure no services were running anywhere under these users' credentials. It seems to happen every other day or so. Help?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now