?
Solved

Can't find cause of user being locked out

Posted on 2013-06-12
5
Medium Priority
?
3,721 Views
Last Modified: 2014-01-16
I have one particular user whose account gets locked about every other day, without fail.  90% of the time, this is due to someone's iPhone trying to connect to our wireless with their old password (after a password change).  We've eliminated that.  The problem with this particular user, is that I cannot find ANY entries in the netlogon log that indicate the problem.  I can see the 0xC0000234 events in the log that indicate he tried to connect with a locked account.  But I don't see any of the standard 0xC000006A events indicated he passed the wrong password.  And I NEVER see those for his user.  It's really weird.

If I go through the event log of the DC who locked him out, I see in the security log the event: 4771
Kerberos pre-authentication failed.

Account Information:
	Security ID:		<DomainName>\daveb
	Account Name:		daveb

Service Information:
	Service Name:		krbtgt/<DomainName>

Network Information:
	Client Address:		::ffff:10.1.2.7
	Client Port:		50365

Additional Information:
	Ticket Options:		0x40810010
	Failure Code:		0x12
	Pre-Authentication Type:	0

Certificate Information:
	Certificate Issuer Name:		
	Certificate Serial Number: 	
	Certificate Thumbprint:		

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Open in new window


I see that event with both the 0X18 error code indicating a bad password, and then I see it with the 0X12 error code indicating the account is locked.  What I don't see is where the credentials originated from.

He swears he is not connecting to the wireless, and I believe him, because that type of a bad password would throw a 0xC000006A error on my DC's netlogon log via my wireless NPS server.  I get those all the time.

So, what am I missing?  Should I enable additional logging on my netlogon log to catch exactly what's happening?  I can find the time and the authentication server of his last bad password attempt via the Account Lockout Tools, but I can't find the source or the method of the bad password.  Does anyone have any ideas?

Thanks in advance for your help.
0
Comment
Question by:Jake Pratt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 13

Expert Comment

by:Michael Machie
ID: 39242827
You can browse the OWA IIS logs within your Exchange Server and export to Excel. Filter and search for his Username. On the lines with his Username you can see which types of devices he is using to try accessing OWA - whether it is Outlook from a PC, a cell phone, or an iPad.

This may help you identify which device is trying to authenticate, then have the User change the credentials on that device.

If you need assistance locating those log files I will look for the path on my Server tomorrow, or you can google it :)
0
 

Author Comment

by:Jake Pratt
ID: 39242847
I don't think this is related to Exchange, though I could be wrong.  I've gone through the events in the IIS logs on my Exchange server, and don't see anything.  His last account lock was at 2:17 PM today.  If you look at the event I posted above, you'll see the IP address of 10.1.2.7.  That is our BDC.  The event above is taken from our PDC.  I'm trying to trace the path back, so I went to our BDC, and tried to look at the security log at 2:17, but unfortunately, my log size wasn't big enough, and I couldn't go back quite that far.  I increased the size of the log for next time, and maybe I'll find some more information in the BDC's security log.  I'm not sure if that will point me in the right direction or not.  If anyone has any other ideas, I'd love to hear them.
0
 
LVL 10

Accepted Solution

by:
Zenvenky earned 1500 total points
ID: 39243404
This issue occurs due to many reasons. Possible reasons would be..

User account tied to persistent mapped drive
User account running as a service account
User account used as an IIS application pool identity
User account associated with a scheduled task
User account logged in multiple devices like Mobile Phones and Tabs.

Failure Code 0x12 indicates that pre-authentication has failed.

In your case I doubt that Mobile / Tab device is causing issue. Refer below links to fix this issue.

http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=18465

http://www.netwrix.com/account_lockout_troubleshooting.html
0
 

Author Comment

by:Jake Pratt
ID: 39245263
Thanks for the input.  I am already using Account Lockout Tools, and I already have netlogon debug logging turned on.  The crazy thing is, at the time of the lockout, there is no entry in the netlogon log for his account.  I think I need to trace it back through the BDC, and see if I can find the machine/process where it is originating.  The BDC log doesn't go back that far right now, but I increased the size of the log.  I think at this point, I'm just waiting for it to lock again.
0
 

Author Comment

by:Jake Pratt
ID: 39245277
I should clarify.  At the time of his lockout, there is no 0xC000006A entry.  There IS a 0xC0000234 entry, but that doesn't help me figure out the process passing the bad password.  The closest 0xC000006A entry I have is from like 26 hour earlier.  And he was working that whole time.  So, it's almost like the netlogon log didn't get any of the bad password entries, just the "account locked" entries.  I'll wait until it locks again, and do some more digging.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question