Can't find cause of user being locked out

Posted on 2013-06-12
Last Modified: 2014-01-16
I have one particular user whose account gets locked about every other day, without fail.  90% of the time, this is due to someone's iPhone trying to connect to our wireless with their old password (after a password change).  We've eliminated that.  The problem with this particular user, is that I cannot find ANY entries in the netlogon log that indicate the problem.  I can see the 0xC0000234 events in the log that indicate he tried to connect with a locked account.  But I don't see any of the standard 0xC000006A events indicated he passed the wrong password.  And I NEVER see those for his user.  It's really weird.

If I go through the event log of the DC who locked him out, I see in the security log the event: 4771
Kerberos pre-authentication failed.

Account Information:
	Security ID:		<DomainName>\daveb
	Account Name:		daveb

Service Information:
	Service Name:		krbtgt/<DomainName>

Network Information:
	Client Address:		::ffff:
	Client Port:		50365

Additional Information:
	Ticket Options:		0x40810010
	Failure Code:		0x12
	Pre-Authentication Type:	0

Certificate Information:
	Certificate Issuer Name:		
	Certificate Serial Number: 	
	Certificate Thumbprint:		

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Open in new window

I see that event with both the 0X18 error code indicating a bad password, and then I see it with the 0X12 error code indicating the account is locked.  What I don't see is where the credentials originated from.

He swears he is not connecting to the wireless, and I believe him, because that type of a bad password would throw a 0xC000006A error on my DC's netlogon log via my wireless NPS server.  I get those all the time.

So, what am I missing?  Should I enable additional logging on my netlogon log to catch exactly what's happening?  I can find the time and the authentication server of his last bad password attempt via the Account Lockout Tools, but I can't find the source or the method of the bad password.  Does anyone have any ideas?

Thanks in advance for your help.
Question by:Jake Pratt
  • 3
LVL 13

Expert Comment

by:Michael Machie
ID: 39242827
You can browse the OWA IIS logs within your Exchange Server and export to Excel. Filter and search for his Username. On the lines with his Username you can see which types of devices he is using to try accessing OWA - whether it is Outlook from a PC, a cell phone, or an iPad.

This may help you identify which device is trying to authenticate, then have the User change the credentials on that device.

If you need assistance locating those log files I will look for the path on my Server tomorrow, or you can google it :)

Author Comment

by:Jake Pratt
ID: 39242847
I don't think this is related to Exchange, though I could be wrong.  I've gone through the events in the IIS logs on my Exchange server, and don't see anything.  His last account lock was at 2:17 PM today.  If you look at the event I posted above, you'll see the IP address of  That is our BDC.  The event above is taken from our PDC.  I'm trying to trace the path back, so I went to our BDC, and tried to look at the security log at 2:17, but unfortunately, my log size wasn't big enough, and I couldn't go back quite that far.  I increased the size of the log for next time, and maybe I'll find some more information in the BDC's security log.  I'm not sure if that will point me in the right direction or not.  If anyone has any other ideas, I'd love to hear them.

Accepted Solution

Zenvenky earned 500 total points
ID: 39243404
This issue occurs due to many reasons. Possible reasons would be..

User account tied to persistent mapped drive
User account running as a service account
User account used as an IIS application pool identity
User account associated with a scheduled task
User account logged in multiple devices like Mobile Phones and Tabs.

Failure Code 0x12 indicates that pre-authentication has failed.

In your case I doubt that Mobile / Tab device is causing issue. Refer below links to fix this issue.

Author Comment

by:Jake Pratt
ID: 39245263
Thanks for the input.  I am already using Account Lockout Tools, and I already have netlogon debug logging turned on.  The crazy thing is, at the time of the lockout, there is no entry in the netlogon log for his account.  I think I need to trace it back through the BDC, and see if I can find the machine/process where it is originating.  The BDC log doesn't go back that far right now, but I increased the size of the log.  I think at this point, I'm just waiting for it to lock again.

Author Comment

by:Jake Pratt
ID: 39245277
I should clarify.  At the time of his lockout, there is no 0xC000006A entry.  There IS a 0xC0000234 entry, but that doesn't help me figure out the process passing the bad password.  The closest 0xC000006A entry I have is from like 26 hour earlier.  And he was working that whole time.  So, it's almost like the netlogon log didn't get any of the bad password entries, just the "account locked" entries.  I'll wait until it locks again, and do some more digging.

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question