Account Lockout Event 4740 with caller computer JCIFS233_45_58

My domain currently has both 2003 and 2008 running.
 Recently I  have a user whose account is getting locked out.
I see no failed login attempts prior to the account lockout on any of the domain controllers. I do however see some 675 events with failure code 0x19 for the same user and these seem to occur 20 minutes before the acount lockout occurs and they occur with a source ip address of the users system which is having their domain account lock out.

The 2008 server is reporting that an account lockout occured with event 4740
The pice i'm struggling with is the caller computer name is always something like JCIFS233_45_58 or JCIFS233_44_DD

These jcifs* systems are not computers on my networks. These names have no dhcp leases, dns entries and they are not . It looks like this may be some sort of java cifs client but we don't run any such applications.

How do i track down where these jcifs* computer names are coming from?

Here are my event details

A user account was locked out.

Subject:
      Security ID:            SYSTEM
      Account Name:            DC2008$
      Account Domain:            CROSSBEAMSYS
      Logon ID:            0x3e7

Account That Was Locked Out:
      Security ID:            DOMAINNAME\username
      Account Name:            username

Additional Information:
      Caller Computer Name:      JCIFS233_44_DD
LVL 3
danielswansonAsked:
Who is Participating?
 
terminal_dkConnect With a Mentor Commented:
Update: After further research, I found out that JCIFS contructs the workstation name as

JCIFS<3rd octet>_<4th octet>_<index>

Thus JCIFS233_45_58 or JCIFS233_44_DD
means that the IP address of the host in quation is x.y.233.45 or x.y.233.44.

Thus it should be relatively easy to find the machine. If you are only using 10.x addresses, you are now down to 256 possibilities. Just ping them and see what is alive.

I traced our locked user back to a SAP system.
0
 
bigwakCommented:
You might wanna check first if those were not virtual machines.
0
 
danielswansonAuthor Commented:
We have checked and we have no machines with these names either physical or virtual
0
 
terminal_dkCommented:
JCIFS is not a computer. It is a Java client library for accessing Windows file shares (A Samba client).

I am having the exact same problem here, I suspect that it is either SAP or some Developer IDE/tool.
0
 
Larry_walzCommented:
the empty "Caller Computer Name" occurs because of the following:
 
1. There is no secure method for the KDC to get the remote machine's name at the current time. If the client provides the name (as in NTLM), then it's not trustworthy and can be spoofed. There are Unix-based hacking tools which spoof workstation name in NTLM auth requests.
 
2. DNS and NetBIOS reverse lookup are not secure and are not reliable- if we tried this, we'd have a high incidence of incorrect or missing information, and hurt performance.
 
3. Even if we chose to do add the name anyway, when we could, there's no field for us to use to carry it in Kerberos AS REQ & TGS REQ messages- we'd have to overload some other field, and run a high risk of loss of compatibility with MIT's reference implementation.
 
This problem may not occur on all the Account lockout events. Please check if we can find any clue in other related events.
Troubleshooting Account Lockout

http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
 
Account Lockout Tools
http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx
 
Hope this helps.
0
All Courses

From novice to tech pro — start learning today.