AD accounts not getting locked out properly ID 4771

Hello,

I'm receiving many event ID's for 4771 on several domain controllers where I'm getting the below information with many authentication failures but the user accounts are not getting locked out when the default domain policy is set to lockout after 3 unsuccessful attempts. Any thoughts? Thanks

4771,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Thu Dec 27 20:26:01 2012,No User,Kerberos pre-authentication failed. Account Information: Security ID: S-1-5-21-2094812614-1962491401-1202159320-115256 Account Name: bvn0412 Service Information: Service Name: krbtgt/domain.COM Network Information: Client Address: ::ffff:10.12.104.105 Client Port: 62426 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

jacksonwsa

Asked: 2012-12-27

Advertise Here

1 Solution

LVL 15

alienvoiceCommented: 2012-12-27

Over what time period are these failures occuring?

Are your default settings set to a short grace period?

jacksonwsaAuthor Commented: 2012-12-27

I'm seeing like 8 failures in a day on this first account I'm looking at. Here is our default domain policy specifically the password piece.

Policy Setting
Enforce password history 5 passwords remembered
Maximum password age 45 days
Minimum password age 1 days
Minimum password length 8 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled

Account Policies/Account Lockout Policyhide
Policy Setting
Account lockout duration 10080 minutes
Account lockout threshold 3 invalid logon attempts
Reset account lockout counter after 4320 minutes

Account Policies/Kerberos Policyhide
Policy Setting
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes

LVL 59

Darius GhassemCommented: 2012-12-27

What is your Reset Account Lockout Counter After setting?

Go through this as well to make sure all settings are set correctly

http://technet.microsoft.com/en-us/library/cc781491(v=ws.10).aspx

Run gpupdate on client

Run gpresult see if the policy is applying or not to the users

jacksonwsaAuthor Commented: 2012-12-27

I confirmed the policy is applying to two of the users

LVL 59

Darius GhassemCommented: 2012-12-27

Alright check those settings

LVL 15

alienvoiceCommented: 2012-12-27

Check your 'Reset account Lockout Counter After' setting. This determines how many minutes can elapse after each failed attempt. Your 8 attempts per day may be occuring far enough apart not to trigger the lockout.

http://technet.microsoft.com/en-us/library/cc784599%28v=ws.10%29.aspx

jacksonwsaAuthor Commented: 2013-01-08

I've dug into the logs and I think I'm making progress on this. Thanks for your help

jacksonwsaAuthor Commented: 2013-07-19

I've requested that this question be closed as follows:

Accepted answer: 0 points for jacksonwsa's comment #a38757651

for the following reason:

This was never resolved

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Expand your skills with this month's free Premium course.

AD accounts not getting locked out properly ID 4771

Join & Write a Comment Already a member? Login.

Featured Post