We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

How to identify what is causing login failure

Medium Priority
640 Views
Last Modified: 2012-05-06
I have a remote user who changed his password through a RDP session. Then he connected his VPN and changed the local password on his laptop. Since then his account continues to get locked. I completely removed his profile from the laptop, forced a password change (while the laptop was physically on the network) and recreated his Exchange profile. It worked fine for a few days and now it is doing the same thing. I am seeing the following errors in the security log.

Logon Failure:
       Reason:            Account locked out
       User Name:      <username>
       Domain:      <mydomainname>
       Logon Type:      8
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      Server-EXCH (this is the weird part. this is not his pc name. It is my exchange server name)
       Caller User Name:      Server-EXCH$
       Caller Domain:      <mydomainname>
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 4652
       Transited Services: -
       Source Network Address:      67.223.82.116
       Source Port:      54918

This appears to be a connection through Outlook to the Exchange server issue but I cannot find where it is broke.

Any help would be appreciated

Thanks
Comment
Watch Question

Commented:
Does this user have some 3rd party application that is trying to login and access his exchange account? for example - a vista sidebar gadget that is checking for new emails?

Author

Commented:
No. the only thing that was out of the ordinary is originally he was setup to access his email via RPC over HTTP. When I removed his Outlook and Windows profile from the machine I intentionally did not set that back up.
If you use a lot of RDP, this user may have an running session on a server with the old credentials.

Use the Microsoft Account Lockout tool to find where the lockout is occuring.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
We do use a lot of RDP but I have it set to reset the connections after 1 hour. I verified in Terminal Service Manager he does not have a disconnected session.

I ran the tool and it showed he was locked out. I unlocked and turned on netlogon logging. What else can I or should I do with this tool?
Chris HudsonCloud Security Architect
CERTIFIED EXPERT

Commented:
logon type 8 means ,it's network logon which is sending clear text password.The process it's talk about is   "Logon Process:      Advapi"  .It can be a Virus.First scan for advapi virus
http://www.processlibrary.com/directory/files/advapi/

For all accnt lockout issues we should figure out the source who is sending the bad password.Enabling netlogon log will help you to find the source machine

you can use Advapi in ASP scripts to send logon info.

In your domain there is one ASP application which is sending wrong password

Following link explains about Advapi in ASP
http://www.motobit.com/help/scptutl/cm123.htm

Author

Commented:
Once I ran the tool there was a connection to the old data server still attempting to sync the 'My Documents' under a different user name. I was able to unlock the account and then delete the old server from sync set on workstation. Thanks for the help
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.