• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 626
  • Last Modified:

How to identify what is causing login failure

I have a remote user who changed his password through a RDP session. Then he connected his VPN and changed the local password on his laptop. Since then his account continues to get locked. I completely removed his profile from the laptop, forced a password change (while the laptop was physically on the network) and recreated his Exchange profile. It worked fine for a few days and now it is doing the same thing. I am seeing the following errors in the security log.

Logon Failure:
       Reason:            Account locked out
       User Name:      <username>
       Domain:      <mydomainname>
       Logon Type:      8
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      Server-EXCH (this is the weird part. this is not his pc name. It is my exchange server name)
       Caller User Name:      Server-EXCH$
       Caller Domain:      <mydomainname>
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 4652
       Transited Services: -
       Source Network Address:
       Source Port:      54918

This appears to be a connection through Outlook to the Exchange server issue but I cannot find where it is broke.

Any help would be appreciated

1 Solution
Does this user have some 3rd party application that is trying to login and access his exchange account? for example - a vista sidebar gadget that is checking for new emails?
gf0326Author Commented:
No. the only thing that was out of the ordinary is originally he was setup to access his email via RPC over HTTP. When I removed his Outlook and Windows profile from the machine I intentionally did not set that back up.
If you use a lot of RDP, this user may have an running session on a server with the old credentials.

Use the Microsoft Account Lockout tool to find where the lockout is occuring.
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

gf0326Author Commented:
We do use a lot of RDP but I have it set to reset the connections after 1 hour. I verified in Terminal Service Manager he does not have a disconnected session.

I ran the tool and it showed he was locked out. I unlocked and turned on netlogon logging. What else can I or should I do with this tool?
logon type 8 means ,it's network logon which is sending clear text password.The process it's talk about is   "Logon Process:      Advapi"  .It can be a Virus.First scan for advapi virus

For all accnt lockout issues we should figure out the source who is sending the bad password.Enabling netlogon log will help you to find the source machine

you can use Advapi in ASP scripts to send logon info.

In your domain there is one ASP application which is sending wrong password

Following link explains about Advapi in ASP

gf0326Author Commented:
Once I ran the tool there was a connection to the old data server still attempting to sync the 'My Documents' under a different user name. I was able to unlock the account and then delete the old server from sync set on workstation. Thanks for the help

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now