Link to home
Start Free TrialLog in
Avatar of cashewx
cashewx

asked on

Account locks out for a user throughout the day.

I have a user who's account is locked out throughout the day daily. He only logs onto one computer each day. He's running WINXP PRO SP2.  It happens a few times a day. When googling his issue, it seems that most people are having this when they issue on servers. However, he has a laptop. I will post the event viewer messages on his local machine:

Source: LSASRV
Category: SPNEGO
Type: Warning
Event ID: 40960

The Security System detected an attempted downgrade attack for server (SERVER NAME).  The failure code from authentication protocol Kerberos was "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
 (0xc0000234)".

Source: LSASRV
Category: SPNEGO
Type: Warning
Event ID: 40960
The Security System could not establish a secured connection with the server (SERVER NAME).  No authentication protocol was available.

Those two happen for one server. Then ten minutes later it has the same 10, except this time it references a workstation.

Also have these:

Source: Kerberos
Category: none
Type: Error
Event ID: 4

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server (SERVERNAME$).  This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAIN), and the client realm.   Please contact your system administrator.

I received this one a few hours later:

Source: Kerberos
Category: none
Type: Error
Event ID: 5
The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server (SERVERNAME$).  This indicates that the ticket used against that server is not yet valid (in relationship to that server time).  Contact your system administrator  to make sure the client and server times are in sync, and that the KDC in realm (DOMAIN) is  in sync with the KDC in the client realm.
ASKER CERTIFIED SOLUTION
Avatar of tomo999
tomo999
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of nicolausj
nicolausj

Have you tried forcing him to change his password? Do you use roaming profiles?
What other troubleshooting have you done?
Avatar of cashewx

ASKER

1) They are in sync with eachother.
2) Removed and rejoined the domain.
3) User says he's only logged on at his pc (not sure how to check if the accout is active domain wide where he would be logged on anywhere else.)
4) I did not see any scheduled tasks. All services use Network Service and Local System for logon as.

I just installed the ALockout tools debugger on his machine. Next time it happens, hopefully the credentials being send will be logged to help determine the occurance. Any other ideas in the mean time?
Avatar of cashewx

ASKER

Looks like the rejoining the computer account to the domain did not work. We don't use roaming profiles. We use Quest software for auditing and his account only shows up for attempts to access his account when it's locked. Never do I see bad password attempts anywhere in the domain. He logs everytime his account locks, and it always matches on the reports. At first I thought it could be something sending his credentials, however I can verify the IP as coming from his machine in the logs. Is it possilbe a mapped drive somewhere could be causing this?
Hi,

Delete and recreate the user profile on the computer, this worked for me.
Avatar of cashewx

ASKER

I reviewed the alockout logs and did not see anything of significance. I can try wiping his profile, however they do not roam and I did not see any invalid credentials being pass from his machine. Somehow his account is being locked out without sending a bad password. Using Quest, I would be able to see if a bad user name was sent.
I experienced the same problem, my user was also not roaming, as a last resort i deleted his profile and recreated it on his computer and the problem was resolved.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of cashewx

ASKER

Thanks for your help!
Avatar of cashewx

ASKER

It turns out there was a machine that was passing the credentials of the user to the DC. I would always filter for the user name, but would never find any errors. When a user was logged on, the PC would send the credentials of the troubled account to the DC. Since the user name trying to be authenticated was different than the user currently logged in, it was marked as a system event. Whenever I would use filters I would always use the user name and never thought to look at system.

I used the account lockout tool from microsoft to pin point the time when bad credentials were being passed. I saw that every hour or so a bad password attempt would appear. Since it was precise with the time down to the seconds, I was able to filter the logs for the exact time. Since the DC is very active at the time it happened, there were about 150 records for the time range! I happened to analyze all the logs for that time and ran across a failure from a system account. It listed the user name and the IP of the PC it was coming from.

I connected to the PCs event security event viewer and sure enough found all the attempts in the security log. The Event ID was 675 and the user was listed as NT AUTHORITY\SYSTEM. Our threshold limit for account lockout is 3 attempts within a day. He would always complain when he came back from lunch his PC was locked. I would try its third attempt 10min before he gets back from lunch. Long story short, CASE CLOSED!