Solved

Can't find cause of user being locked out

Posted on 2013-06-12
5
2,607 Views
Last Modified: 2014-01-16
I have one particular user whose account gets locked about every other day, without fail.  90% of the time, this is due to someone's iPhone trying to connect to our wireless with their old password (after a password change).  We've eliminated that.  The problem with this particular user, is that I cannot find ANY entries in the netlogon log that indicate the problem.  I can see the 0xC0000234 events in the log that indicate he tried to connect with a locked account.  But I don't see any of the standard 0xC000006A events indicated he passed the wrong password.  And I NEVER see those for his user.  It's really weird.

If I go through the event log of the DC who locked him out, I see in the security log the event: 4771
Kerberos pre-authentication failed.

Account Information:
	Security ID:		<DomainName>\daveb
	Account Name:		daveb

Service Information:
	Service Name:		krbtgt/<DomainName>

Network Information:
	Client Address:		::ffff:10.1.2.7
	Client Port:		50365

Additional Information:
	Ticket Options:		0x40810010
	Failure Code:		0x12
	Pre-Authentication Type:	0

Certificate Information:
	Certificate Issuer Name:		
	Certificate Serial Number: 	
	Certificate Thumbprint:		

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Open in new window


I see that event with both the 0X18 error code indicating a bad password, and then I see it with the 0X12 error code indicating the account is locked.  What I don't see is where the credentials originated from.

He swears he is not connecting to the wireless, and I believe him, because that type of a bad password would throw a 0xC000006A error on my DC's netlogon log via my wireless NPS server.  I get those all the time.

So, what am I missing?  Should I enable additional logging on my netlogon log to catch exactly what's happening?  I can find the time and the authentication server of his last bad password attempt via the Account Lockout Tools, but I can't find the source or the method of the bad password.  Does anyone have any ideas?

Thanks in advance for your help.
0
Comment
Question by:Jake Pratt
  • 3
5 Comments
 
LVL 13

Expert Comment

by:Michael Machie
ID: 39242827
You can browse the OWA IIS logs within your Exchange Server and export to Excel. Filter and search for his Username. On the lines with his Username you can see which types of devices he is using to try accessing OWA - whether it is Outlook from a PC, a cell phone, or an iPad.

This may help you identify which device is trying to authenticate, then have the User change the credentials on that device.

If you need assistance locating those log files I will look for the path on my Server tomorrow, or you can google it :)
0
 

Author Comment

by:Jake Pratt
ID: 39242847
I don't think this is related to Exchange, though I could be wrong.  I've gone through the events in the IIS logs on my Exchange server, and don't see anything.  His last account lock was at 2:17 PM today.  If you look at the event I posted above, you'll see the IP address of 10.1.2.7.  That is our BDC.  The event above is taken from our PDC.  I'm trying to trace the path back, so I went to our BDC, and tried to look at the security log at 2:17, but unfortunately, my log size wasn't big enough, and I couldn't go back quite that far.  I increased the size of the log for next time, and maybe I'll find some more information in the BDC's security log.  I'm not sure if that will point me in the right direction or not.  If anyone has any other ideas, I'd love to hear them.
0
 
LVL 9

Accepted Solution

by:
Zenvenky earned 500 total points
ID: 39243404
This issue occurs due to many reasons. Possible reasons would be..

User account tied to persistent mapped drive
User account running as a service account
User account used as an IIS application pool identity
User account associated with a scheduled task
User account logged in multiple devices like Mobile Phones and Tabs.

Failure Code 0x12 indicates that pre-authentication has failed.

In your case I doubt that Mobile / Tab device is causing issue. Refer below links to fix this issue.

http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=18465

http://www.netwrix.com/account_lockout_troubleshooting.html
0
 

Author Comment

by:Jake Pratt
ID: 39245263
Thanks for the input.  I am already using Account Lockout Tools, and I already have netlogon debug logging turned on.  The crazy thing is, at the time of the lockout, there is no entry in the netlogon log for his account.  I think I need to trace it back through the BDC, and see if I can find the machine/process where it is originating.  The BDC log doesn't go back that far right now, but I increased the size of the log.  I think at this point, I'm just waiting for it to lock again.
0
 

Author Comment

by:Jake Pratt
ID: 39245277
I should clarify.  At the time of his lockout, there is no 0xC000006A entry.  There IS a 0xC0000234 entry, but that doesn't help me figure out the process passing the bad password.  The closest 0xC000006A entry I have is from like 26 hour earlier.  And he was working that whole time.  So, it's almost like the netlogon log didn't get any of the bad password entries, just the "account locked" entries.  I'll wait until it locks again, and do some more digging.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now