mpangelov
asked on
Problem with non-stop user locking in active directory and isa server 2004
First i have to apologize because my English is not very good.
Our domain admin quit the company and left a lot of problems in AD.
Now ISA server 2004 refuse to authenticate the users and lock them and there are non-stop event id 680 and 529 in the isa server event viewer.
I have increase the account threshold to 100 and event then the users got locked down extremely fast.
I only receive failed authentications in the isa server. The ISA allow RDP but, generate errors, even with domain account that works in every server.
I`m thinking that maybe he changed some password, he should not have changed.
I`m getting this event id 529 even with my domain admin account:
Logon Failure:
Reason: Unknown user name or bad password
User Name: DOMAIN ADMIN
Domain: ISA_SERVER
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: ISA_SERVER
Caller User Name: ISA_SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 5516
Transited Services: -
Source Network Address: <IP ADDRESS ON THE PDC>
Source Port: 2693
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I`m help desk and i`m tired of unlocking accounts. The boss sad we should wait at least 1 more mount until he find new administrator, so any help will be appreciated.
Our domain admin quit the company and left a lot of problems in AD.
Now ISA server 2004 refuse to authenticate the users and lock them and there are non-stop event id 680 and 529 in the isa server event viewer.
I have increase the account threshold to 100 and event then the users got locked down extremely fast.
I only receive failed authentications in the isa server. The ISA allow RDP but, generate errors, even with domain account that works in every server.
I`m thinking that maybe he changed some password, he should not have changed.
I`m getting this event id 529 even with my domain admin account:
Logon Failure:
Reason: Unknown user name or bad password
User Name: DOMAIN ADMIN
Domain: ISA_SERVER
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: ISA_SERVER
Caller User Name: ISA_SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 5516
Transited Services: -
Source Network Address: <IP ADDRESS ON THE PDC>
Source Port: 2693
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I`m help desk and i`m tired of unlocking accounts. The boss sad we should wait at least 1 more mount until he find new administrator, so any help will be appreciated.
ASKER
What is the Domain controller OS ?-
Windows Server 2003 with Service Pack 2, x86-based versions
What is ISA server OS ?
Windows Server 2003 with Service Pack 1, x86-based versions
Client OS ?
Windows xp sp2.
Windows Server 2003 with Service Pack 2, x86-based versions
What is ISA server OS ?
Windows Server 2003 with Service Pack 1, x86-based versions
Client OS ?
Windows xp sp2.
Check your domain controller having the latest version of OS:
Windows Server 2003 with Service Pack 2, x86-based versions
File name File version File size Date Time Platform
Lsasrv.dll 5.2.3790.4092 815,616 04-Jun-2007 04:16 x86
Check your ISA server having the latest version of OS:
Windows Server 2003 with Service Pack 1, x86-based versions
File name File version File size Date Time Platform
Lsasrv.dll 5.2.3790.2947 822,784 04-Jun-2007 04:29 x86
Before you start your troubleshooting I must tell you it may be a deep troubleshooting and bit time consuming.
Windows Server 2003 with Service Pack 2, x86-based versions
File name File version File size Date Time Platform
Lsasrv.dll 5.2.3790.4092 815,616 04-Jun-2007 04:16 x86
Check your ISA server having the latest version of OS:
Windows Server 2003 with Service Pack 1, x86-based versions
File name File version File size Date Time Platform
Lsasrv.dll 5.2.3790.2947 822,784 04-Jun-2007 04:29 x86
Before you start your troubleshooting I must tell you it may be a deep troubleshooting and bit time consuming.
After verification if your Infrastructure change policy allows you to install the latest servicepack and test in environment. without any change window then you may need to install latest service pack.
889100 (http://support.microsoft.com/kb/889100/ ) How to obtain the latest service pack for Windows Server 2003
889100 (http://support.microsoft.com/kb/889100/ ) How to obtain the latest service pack for Windows Server 2003
ASKER
DC Lsasrv.dll version 5.2.3790.4530
ISA Lsasrv.dll version 5.2.3790.3290
l
ISA Lsasrv.dll version 5.2.3790.3290
l
can you check your ISA server have any error / critical / warning events logged. try to check the records time when last you reset/enabled user account.
ASKER
Little update: I removed the enforce strict RPC compliance on the active directory, in the system policy editor in the ISA server. Now there are no more security failed messages, but sadly the users sill get locked in very fast rate.
ASKER
OK. This is log from the time the problems started:
event id:1
Automatic certificate enrollment for local system failed to download certificates for ROOT store from ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Co nfiguratio n,DC=my domain, DC=bg?cACertificate?one?ob jectCatego ry=certifi cationAuth ority (0x8007006e). The system cannot open the device or file specified.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------- ---------- ---------- ---------- ---------- ---------
Event id 23407
Writing to the log took approximately 62 seconds. If this time exceeds 30 seconds, logging may fail and ISA Server may go into lockdown mode. For more information, see Microsoft article 919468, at the ISA Server Help and Support site (http://support.microsoft.com/ph/2108/en-us/).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------- ---------- ---------- ---------- ---------- ---------- ----
event id 8
The Microsoft Firewall failed to log information to MSDE Database ISALOG_20120411_FWS_000 in path F:\Firewall\ISALogs. The MSDE Error description is: Timeout expired. The problem may be resolved by restarting the MSSQL$MSFW service.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------- ---------- ---------- ---------- ---------- ---------- --
event id 14007
ISA Server detected routes through the network adapter Internal that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 130.100.1.0-130.100.1.255, 172.17.0.0 -172.17.17 .40,172.17 .17.43-172 .17.18.40, 172.17.18. 42-172.17. 23.40,172. 17.23.43-1 72.17.43.4 0,172.17.4 3.42-172.1 7.74.40,17 2.17.74.42 -172.17.13 8.41,172.1 7.138.43-1 72.17.179. 40,172.17. 179.42-172 .17.188.40 ,172.17.18 8.42-172.1 7.188.43,1 72.17.188. 45-172.17. 255.255,17 2.18.3.5-1 72.18.3.5, 172.20.0.0 -172.21.25 5.255,172. 28.0.0-172 .28.255.25 5;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- --
event id 14147
ISA Server detected routes through the network adapter Internal that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 172.20.0.0-172.20.255.255, 172.21.1.0 -172.21.25 5.255,172. 28.0.0-172 .28.255.25 5;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ------
The routing table for network adapter External includes IP address ranges that are not defined in the array network External to which it is bound. As a result, when packets go in/out via this network adapter and they are from/sent to the IP address ranges listed below they will be considered spoofed and will be dropped. To resolve this issue, add the missing IP address ranges to the array network. The following IP address ranges will be dropped as spoofed: Internal:172.20.0.0-172.20 .255.255,1 72.21.1.0- 172.21.255 .255,172.2 8.0.0-172. 28.255.255 ;
After that the internet was blocked and i needed to restart the server.
event id:1
Automatic certificate enrollment for local system failed to download certificates for ROOT store from ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Co
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------
Event id 23407
Writing to the log took approximately 62 seconds. If this time exceeds 30 seconds, logging may fail and ISA Server may go into lockdown mode. For more information, see Microsoft article 919468, at the ISA Server Help and Support site (http://support.microsoft.com/ph/2108/en-us/).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------
event id 8
The Microsoft Firewall failed to log information to MSDE Database ISALOG_20120411_FWS_000 in path F:\Firewall\ISALogs. The MSDE Error description is: Timeout expired. The problem may be resolved by restarting the MSSQL$MSFW service.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------
event id 14007
ISA Server detected routes through the network adapter Internal that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 130.100.1.0-130.100.1.255,
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------
event id 14147
ISA Server detected routes through the network adapter Internal that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 172.20.0.0-172.20.255.255,
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------
The routing table for network adapter External includes IP address ranges that are not defined in the array network External to which it is bound. As a result, when packets go in/out via this network adapter and they are from/sent to the IP address ranges listed below they will be considered spoofed and will be dropped. To resolve this issue, add the missing IP address ranges to the array network. The following IP address ranges will be dropped as spoofed: Internal:172.20.0.0-172.20
After that the internet was blocked and i needed to restart the server.
Ok there are few things you should do to fix the error in ISA server.
Only include IP ranges that are reachable (through ISA's inside network GW) from the ISA interface in question. Make sure you have persistant routes defined to all networks reachable by the Inside interface
Only include IP ranges that are reachable (through ISA's inside network GW) from the ISA interface in question. Make sure you have persistant routes defined to all networks reachable by the Inside interface
and to rectify the event ID 1 use the below MS article.
http://technet.microsoft.com/en-us/library/cc774867(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc774867(v=ws.10).aspx
ASKER
I checked the networks already and they seem fine.
The fix for the event id 1 is for win 2008 and i can`t make it work on my 2003 server.
But after i removed the enforce strict RPC compliance, i don`t see anymore failed logins, but users continue to get locked.
The fix for the event id 1 is for win 2008 and i can`t make it work on my 2003 server.
But after i removed the enforce strict RPC compliance, i don`t see anymore failed logins, but users continue to get locked.
good articles for such situation:
http://technet.microsoft.com/en-us/library/cc773155.aspx
http://technet.microsoft.com/en-us/library/cc738772(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc773155.aspx
http://technet.microsoft.com/en-us/library/cc738772(v=ws.10).aspx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, i followed the events 644 and found some computers with Net-Worm.Win32.Kido.
I cleared 4 of them, but there is one i can`t get access.
I`ll have to wait till Wednesday, to find the location of this computer and find someone to clear it.
I`ll keep you updated.
I cleared 4 of them, but there is one i can`t get access.
I`ll have to wait till Wednesday, to find the location of this computer and find someone to clear it.
I`ll keep you updated.
Great I believe things will work for you now
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Let me understand the environment of yours.
What is the Domain controller OS
What is ISA server OS
and Client OS
Also if you can validate the version of files in servers (choose as per the version you have in your environment):
Windows Server 2003 with Service Pack 1, x86-based versions
File name File version File size Date Time Platform
Lsasrv.dll 5.2.3790.2947 822,784 04-Jun-2007 04:29 x86
Windows Server 2003 with Service Pack 2, x86-based versions
File name File version File size Date Time Platform
Lsasrv.dll 5.2.3790.4092 815,616 04-Jun-2007 04:16 x86
Windows Server 2003 with Service Pack 1, Itanium-based versions
File name File version File size Date Time Platform
Lsasrv.dll 5.2.3790.2947 2,161,664 03-Jun-2007 14:30 IA-64
Windows Server 2003 with Service Pack 2, Itanium-based versions
File name File version File size Date Time Platform
Lsasrv.dll 5.2.3790.4092 2,163,200 03-Jun-2007 14:35 IA-64
Windows Server 2003, x64-based versions
File name File version File size Date Time Platform
Lsasrv.dll 5.2.3790.2947 1,566,720 03-Jun-2007 14:29 x64
Windows Server 2003 with Service Pack 2, x64-based versions
File name File version File size Date Time Platform
Lsasrv.dll 5.2.3790.4092 1,567,232 03-Jun-2007 14:35 x64