PMRS
asked on
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 locks Windows 2003 Active Directory account - 0xC0000234
After resetting a user password through user manager, the account consistently gets locked every few seconds.
Environment: Windows 2003 SP2 (two active directory servers)
Troubleshooting steps:
Unlock Account...
Reset PW
Removed from all groups User was a domain admin (by design)
Turned off all users workstations
Turned on enhanced AD logging and get the Event ID: 680
Checked for errant network shares
Disabled/Re-enabled the account - When account is disabled MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0 still attempts and gets a failure audit
Full Virus and Spyware scan
AD sync is working as expected
Checked all backup services and windows services for account in use
Checked services on and rebooted all domain and application servers
With domain controller 1 off, secondary got plagued with the same error.
I can re-enable the account and with Event Log or AccountLockout Status watch the failed attempts get chewed up. I have been combing Microsoft and the rest of the web. Any thoughts or suggestions would be appreciated.
Errors in Event Viewer (every few seconds over the past 48 hours)
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 11/13/2008
Time: 8:48:45 AM
User: NT AUTHORITY\SYSTEM
Computer: AD1 (Active Directory)
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Logon account: jsmith
Source Workstation:
Error Code: 0xC0000234
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 11/13/2008
Time: 9:18:13 AM
User: NT AUTHORITY\SYSTEM
Computer: AD1 (Active Directory)
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Logon account: jsmith
Source Workstation:
Error Code: 0xC0000234
Environment: Windows 2003 SP2 (two active directory servers)
Troubleshooting steps:
Unlock Account...
Reset PW
Removed from all groups User was a domain admin (by design)
Turned off all users workstations
Turned on enhanced AD logging and get the Event ID: 680
Checked for errant network shares
Disabled/Re-enabled the account - When account is disabled MICROSOFT_AUTHENTICATION_P
Full Virus and Spyware scan
AD sync is working as expected
Checked all backup services and windows services for account in use
Checked services on and rebooted all domain and application servers
With domain controller 1 off, secondary got plagued with the same error.
I can re-enable the account and with Event Log or AccountLockout Status watch the failed attempts get chewed up. I have been combing Microsoft and the rest of the web. Any thoughts or suggestions would be appreciated.
Errors in Event Viewer (every few seconds over the past 48 hours)
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 11/13/2008
Time: 8:48:45 AM
User: NT AUTHORITY\SYSTEM
Computer: AD1 (Active Directory)
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: jsmith
Source Workstation:
Error Code: 0xC0000234
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 11/13/2008
Time: 9:18:13 AM
User: NT AUTHORITY\SYSTEM
Computer: AD1 (Active Directory)
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: jsmith
Source Workstation:
Error Code: 0xC0000234
ASKER
Thanks for the feedback. The issue has been resolved.
After 1.5 days of mind-numbing troubleshooting, I traced the issue back to a SQL 2005 instance. Although the users credentials were not visibly in use on any of the databases, or services on this server& the server was running a HP Proliant monitoring tool. Removing this tool and the associated database (and reloading) resolved the issue. Users password has changed multiple times since, without issue.
After 1.5 days of mind-numbing troubleshooting, I traced the issue back to a SQL 2005 instance. Although the users credentials were not visibly in use on any of the databases, or services on this server& the server was running a HP Proliant monitoring tool. Removing this tool and the associated database (and reloading) resolved the issue. Users password has changed multiple times since, without issue.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You might want to check the services and scheduled tasks to see if any are using that user to authenticate. If so, update the credentials.