Account Lockout Event 4740 with caller computer JCIFS233_45_58

Posted on 2011-10-17
Last Modified: 2014-01-10
My domain currently has both 2003 and 2008 running.
 Recently I  have a user whose account is getting locked out.
I see no failed login attempts prior to the account lockout on any of the domain controllers. I do however see some 675 events with failure code 0x19 for the same user and these seem to occur 20 minutes before the acount lockout occurs and they occur with a source ip address of the users system which is having their domain account lock out.

The 2008 server is reporting that an account lockout occured with event 4740
The pice i'm struggling with is the caller computer name is always something like JCIFS233_45_58 or JCIFS233_44_DD

These jcifs* systems are not computers on my networks. These names have no dhcp leases, dns entries and they are not . It looks like this may be some sort of java cifs client but we don't run any such applications.

How do i track down where these jcifs* computer names are coming from?

Here are my event details

A user account was locked out.

      Security ID:            SYSTEM
      Account Name:            DC2008$
      Account Domain:            CROSSBEAMSYS
      Logon ID:            0x3e7

Account That Was Locked Out:
      Security ID:            DOMAINNAME\username
      Account Name:            username

Additional Information:
      Caller Computer Name:      JCIFS233_44_DD
Question by:danielswanson

    Expert Comment

    You might wanna check first if those were not virtual machines.
    LVL 3

    Author Comment

    We have checked and we have no machines with these names either physical or virtual
    LVL 1

    Expert Comment

    JCIFS is not a computer. It is a Java client library for accessing Windows file shares (A Samba client).

    I am having the exact same problem here, I suspect that it is either SAP or some Developer IDE/tool.
    LVL 1

    Accepted Solution

    Update: After further research, I found out that JCIFS contructs the workstation name as

    JCIFS<3rd octet>_<4th octet>_<index>

    Thus JCIFS233_45_58 or JCIFS233_44_DD
    means that the IP address of the host in quation is x.y.233.45 or x.y.233.44.

    Thus it should be relatively easy to find the machine. If you are only using 10.x addresses, you are now down to 256 possibilities. Just ping them and see what is alive.

    I traced our locked user back to a SAP system.
    LVL 1

    Expert Comment

    the empty "Caller Computer Name" occurs because of the following:
    1. There is no secure method for the KDC to get the remote machine's name at the current time. If the client provides the name (as in NTLM), then it's not trustworthy and can be spoofed. There are Unix-based hacking tools which spoof workstation name in NTLM auth requests.
    2. DNS and NetBIOS reverse lookup are not secure and are not reliable- if we tried this, we'd have a high incidence of incorrect or missing information, and hurt performance.
    3. Even if we chose to do add the name anyway, when we could, there's no field for us to use to carry it in Kerberos AS REQ & TGS REQ messages- we'd have to overload some other field, and run a high risk of loss of compatibility with MIT's reference implementation.
    This problem may not occur on all the Account lockout events. Please check if we can find any clue in other related events.
    Troubleshooting Account Lockout
    Account Lockout Tools
    Hope this helps.

    Featured Post

    Do email signature updates give you a headache?

    Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

    Join & Write a Comment

    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
    This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
    This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now