Solved

SBS Domain user logon failing repeatedly causing account lockout

Posted on 2007-04-10
17
4,353 Views
Last Modified: 2012-05-05
Our primary domain controller is Windows Small Business Server 2003. We have a user whose account is frequently getting locked out. When I look in our Domain Controller's event log I see the following two security events occuring every 10 seconds like clockwork:

Event 680, Account Logon.
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      USERNAME (of the user that keeps getting locked out)
 Source Workstation:      OURDOMAINCONTROLLER (The name of this machine, our primary DC)
 Error Code:      0xC000006A

Event 529, Logon/Logoff
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:                            USERNAME (same username, the one getting locked out.)
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      OURDOMAINCONTROLLER
       Caller User Name:      OURDOMAINCONTROLLER$
       Caller Domain:      OURDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      5268                (note: this is the process ID for store.exe)
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

After enough of these failed logins, apparently the account gets locked out. The process ID above leads me to believe this is somehow related to Exchange (store.exe). Here is what we have tried so far:

-We have completely turned off the user's machine and disconnected it from the network.
-We have had the user sit at the DC console and explicity set their password in active directory.
-The user does not work remotely or use any mobile devices to authenticate to our domain.
-We have restarted the Exchange services on our Domain Controller / Exchange Server
-We have completely rebooted the Domain Controller / Exchange Server.

Any further ideas what could be causing this?

Thank you,
Ben
0
Comment
Question by:benbecker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
17 Comments
 
LVL 1

Author Comment

by:benbecker
ID: 18884184
Thanks for the links, I checked them both out, but I don't think they apply necessarily. The user is logged into our domain on her Windows XP Pro client machine, so there should be no issue with unknown or untrusted domain. The second link had a lot of good information about lockout policies in general, but I did not see anything that would explain this behavior.

As mentioned above, the "Source workstation" in the event log error is the Domain Controller itself, and furthermore the failed logins continue, at 10 second intervals, even when the client machine is completely disconnected and powered off. So whatever is repeatedly attempting this bad authentication seems to be on the Domain Controller machine itself.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18886467
Please see my answer in this Question for the solution to your issue:  http:Q_22471975.html


Jeff
TechSoEasy
0
Raise the IQ of Your IT Alerts

From IT major incidents to manufacturing line slowdowns, every business process generates insights that need to reach the people required to take action. You need a platform that integrates with your business tools to create fully enabled DevOps toolchains.

You need xMatters.

 
LVL 1

Author Comment

by:benbecker
ID: 18925123
TechSoEasy, thanks for the suggestion. We followed the instructions from the article: http://support.microsoft.com/?id=325850

We stopped and disabled the Kerberos Key Distribution Center service on our primary domain controller, and then rebooted. Upon rebooting, ran the command:
netdom resetpwd /s:server /ud:domain\User /pd:*

It prompts for the user password, which we enter and then get this message:
"The machine account password for the local machine could not be reset.
Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.
The command failed to complete successfully"

Any further ideas?

Thanks
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18925243
Setting the KDC to "disabled" is not what the article instructs you to do.  You need to set it to Manual.

Furthermore, you should be logging in using the Built-in Administrator Account for this task and be sure that there are no shared drive mappings currently configured on the server.

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:benbecker
ID: 18925736
Sorry, typo in haste there, we did set it to Manual.

I can try those other two things. Also, does it matter that we have a secondary domain controller that is also running. Do we need to do anything on that machine as well?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18935397
Yeah, it most certainly does matter.  Read that KB article on how to simultaneously reset the password on multiple DC's.  (ie, netdom resetpwd /s:server2 /ud:mydomain\administrator /pd:*)

Jeff
TechSoEasy
0
 

Expert Comment

by:beckerben
ID: 18936210
So where do you run this command, server1 or server2 or both?  Does the kerberos server need to be shutdown on both of them?
0
 
LVL 1

Author Comment

by:benbecker
ID: 19033637
Jeff, We're still unclear after reading the article.  Are we issuing this command on DC1 to update DC2 or do we shutdown DC2, then issue this command on DC1?  Please advise.  if both of them need to be re-synced using net dom, do we issue them for each DC?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 19214442
Sorry, I must have missed your last reply since it was so long after the initial issue.

If you have not yet resolved this...  the command would be run on DC1, with DC2 running.  However, if there are mapped drives configured on that server you need to disconnect them.  (as well as any other mapped drives on any other machines in your network which have been shared using the same user account -- most likely the Administrator account -- that's what's meant by "disconnect all previous...")

If you have login scripts that map drives using the Administrator account's credentials, that's a pretty bad practice.

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:benbecker
ID: 19216486
we ended up removing the user, deleting the exchange mailbox and adding the user back, however the problem dissappeared for about 20 minutes, and then it was back, invalid login attempts for this user.  We were able to run these procedures here as well and they did not work.  so we ended up just removing this user from the system, coming oup with a different username for them and the problem is solved, not necessarily in the ideal way, but we already vested way more time in this than we should have. thank you for your assistance.
0
 

Accepted Solution

by:
AnnieMod earned 0 total points
ID: 19388362
PAQed with points refunded (500)

AnnieMod
Cleanup Admin
0
 

Expert Comment

by:log138
ID: 23444960
Just researched and tested: Failed POP3 logins on SBS2003 will generate this error!!!

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            1/22/2009
Time:            3:33:57 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SBS2003
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      administrator
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SBS2003
       Caller User Name:      SBS2003$
       Caller Domain:      N*****K
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      5036 (store.exe)
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
0
 
LVL 1

Expert Comment

by:zequestioner
ID: 26315758
We are having the same problem here with multiple users. Accounts randomly lock out. We have reset the passwords, made sure no drives were mapped locally, and made sure no services were running anywhere under these users' credentials. It seems to happen every other day or so. Help?
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A lot of problems and solutions are available on the net for the error message "Source server does not meet minimum requirements for migration" while performing a migration from Small Business Server 2003 to SBS 2008. This error pops up just before …
The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question