• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4864
  • Last Modified:

Can't find cause of user being locked out

I have one particular user whose account gets locked about every other day, without fail.  90% of the time, this is due to someone's iPhone trying to connect to our wireless with their old password (after a password change).  We've eliminated that.  The problem with this particular user, is that I cannot find ANY entries in the netlogon log that indicate the problem.  I can see the 0xC0000234 events in the log that indicate he tried to connect with a locked account.  But I don't see any of the standard 0xC000006A events indicated he passed the wrong password.  And I NEVER see those for his user.  It's really weird.

If I go through the event log of the DC who locked him out, I see in the security log the event: 4771
Kerberos pre-authentication failed.

Account Information:
	Security ID:		<DomainName>\daveb
	Account Name:		daveb

Service Information:
	Service Name:		krbtgt/<DomainName>

Network Information:
	Client Address:		::ffff:
	Client Port:		50365

Additional Information:
	Ticket Options:		0x40810010
	Failure Code:		0x12
	Pre-Authentication Type:	0

Certificate Information:
	Certificate Issuer Name:		
	Certificate Serial Number: 	
	Certificate Thumbprint:		

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Open in new window

I see that event with both the 0X18 error code indicating a bad password, and then I see it with the 0X12 error code indicating the account is locked.  What I don't see is where the credentials originated from.

He swears he is not connecting to the wireless, and I believe him, because that type of a bad password would throw a 0xC000006A error on my DC's netlogon log via my wireless NPS server.  I get those all the time.

So, what am I missing?  Should I enable additional logging on my netlogon log to catch exactly what's happening?  I can find the time and the authentication server of his last bad password attempt via the Account Lockout Tools, but I can't find the source or the method of the bad password.  Does anyone have any ideas?

Thanks in advance for your help.
Jake Pratt
Jake Pratt
  • 3
1 Solution
Michael MachieFull-time technical multi-taskerCommented:
You can browse the OWA IIS logs within your Exchange Server and export to Excel. Filter and search for his Username. On the lines with his Username you can see which types of devices he is using to try accessing OWA - whether it is Outlook from a PC, a cell phone, or an iPad.

This may help you identify which device is trying to authenticate, then have the User change the credentials on that device.

If you need assistance locating those log files I will look for the path on my Server tomorrow, or you can google it :)
Jake PrattAuthor Commented:
I don't think this is related to Exchange, though I could be wrong.  I've gone through the events in the IIS logs on my Exchange server, and don't see anything.  His last account lock was at 2:17 PM today.  If you look at the event I posted above, you'll see the IP address of  That is our BDC.  The event above is taken from our PDC.  I'm trying to trace the path back, so I went to our BDC, and tried to look at the security log at 2:17, but unfortunately, my log size wasn't big enough, and I couldn't go back quite that far.  I increased the size of the log for next time, and maybe I'll find some more information in the BDC's security log.  I'm not sure if that will point me in the right direction or not.  If anyone has any other ideas, I'd love to hear them.
This issue occurs due to many reasons. Possible reasons would be..

User account tied to persistent mapped drive
User account running as a service account
User account used as an IIS application pool identity
User account associated with a scheduled task
User account logged in multiple devices like Mobile Phones and Tabs.

Failure Code 0x12 indicates that pre-authentication has failed.

In your case I doubt that Mobile / Tab device is causing issue. Refer below links to fix this issue.



Jake PrattAuthor Commented:
Thanks for the input.  I am already using Account Lockout Tools, and I already have netlogon debug logging turned on.  The crazy thing is, at the time of the lockout, there is no entry in the netlogon log for his account.  I think I need to trace it back through the BDC, and see if I can find the machine/process where it is originating.  The BDC log doesn't go back that far right now, but I increased the size of the log.  I think at this point, I'm just waiting for it to lock again.
Jake PrattAuthor Commented:
I should clarify.  At the time of his lockout, there is no 0xC000006A entry.  There IS a 0xC0000234 entry, but that doesn't help me figure out the process passing the bad password.  The closest 0xC000006A entry I have is from like 26 hour earlier.  And he was working that whole time.  So, it's almost like the netlogon log didn't get any of the bad password entries, just the "account locked" entries.  I'll wait until it locks again, and do some more digging.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now