Can't find cause of user being locked out

Posted on 2013-06-12
Medium Priority
Last Modified: 2014-01-16
I have one particular user whose account gets locked about every other day, without fail.  90% of the time, this is due to someone's iPhone trying to connect to our wireless with their old password (after a password change).  We've eliminated that.  The problem with this particular user, is that I cannot find ANY entries in the netlogon log that indicate the problem.  I can see the 0xC0000234 events in the log that indicate he tried to connect with a locked account.  But I don't see any of the standard 0xC000006A events indicated he passed the wrong password.  And I NEVER see those for his user.  It's really weird.

If I go through the event log of the DC who locked him out, I see in the security log the event: 4771
Kerberos pre-authentication failed.

Account Information:
	Security ID:		<DomainName>\daveb
	Account Name:		daveb

Service Information:
	Service Name:		krbtgt/<DomainName>

Network Information:
	Client Address:		::ffff:
	Client Port:		50365

Additional Information:
	Ticket Options:		0x40810010
	Failure Code:		0x12
	Pre-Authentication Type:	0

Certificate Information:
	Certificate Issuer Name:		
	Certificate Serial Number: 	
	Certificate Thumbprint:		

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Open in new window

I see that event with both the 0X18 error code indicating a bad password, and then I see it with the 0X12 error code indicating the account is locked.  What I don't see is where the credentials originated from.

He swears he is not connecting to the wireless, and I believe him, because that type of a bad password would throw a 0xC000006A error on my DC's netlogon log via my wireless NPS server.  I get those all the time.

So, what am I missing?  Should I enable additional logging on my netlogon log to catch exactly what's happening?  I can find the time and the authentication server of his last bad password attempt via the Account Lockout Tools, but I can't find the source or the method of the bad password.  Does anyone have any ideas?

Thanks in advance for your help.
Question by:Jake Pratt
  • 3
LVL 13

Expert Comment

by:Michael Machie
ID: 39242827
You can browse the OWA IIS logs within your Exchange Server and export to Excel. Filter and search for his Username. On the lines with his Username you can see which types of devices he is using to try accessing OWA - whether it is Outlook from a PC, a cell phone, or an iPad.

This may help you identify which device is trying to authenticate, then have the User change the credentials on that device.

If you need assistance locating those log files I will look for the path on my Server tomorrow, or you can google it :)

Author Comment

by:Jake Pratt
ID: 39242847
I don't think this is related to Exchange, though I could be wrong.  I've gone through the events in the IIS logs on my Exchange server, and don't see anything.  His last account lock was at 2:17 PM today.  If you look at the event I posted above, you'll see the IP address of  That is our BDC.  The event above is taken from our PDC.  I'm trying to trace the path back, so I went to our BDC, and tried to look at the security log at 2:17, but unfortunately, my log size wasn't big enough, and I couldn't go back quite that far.  I increased the size of the log for next time, and maybe I'll find some more information in the BDC's security log.  I'm not sure if that will point me in the right direction or not.  If anyone has any other ideas, I'd love to hear them.
LVL 10

Accepted Solution

ZenVenky earned 1500 total points
ID: 39243404
This issue occurs due to many reasons. Possible reasons would be..

User account tied to persistent mapped drive
User account running as a service account
User account used as an IIS application pool identity
User account associated with a scheduled task
User account logged in multiple devices like Mobile Phones and Tabs.

Failure Code 0x12 indicates that pre-authentication has failed.

In your case I doubt that Mobile / Tab device is causing issue. Refer below links to fix this issue.




Author Comment

by:Jake Pratt
ID: 39245263
Thanks for the input.  I am already using Account Lockout Tools, and I already have netlogon debug logging turned on.  The crazy thing is, at the time of the lockout, there is no entry in the netlogon log for his account.  I think I need to trace it back through the BDC, and see if I can find the machine/process where it is originating.  The BDC log doesn't go back that far right now, but I increased the size of the log.  I think at this point, I'm just waiting for it to lock again.

Author Comment

by:Jake Pratt
ID: 39245277
I should clarify.  At the time of his lockout, there is no 0xC000006A entry.  There IS a 0xC0000234 entry, but that doesn't help me figure out the process passing the bad password.  The closest 0xC000006A entry I have is from like 26 hour earlier.  And he was working that whole time.  So, it's almost like the netlogon log didn't get any of the bad password entries, just the "account locked" entries.  I'll wait until it locks again, and do some more digging.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question