Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

failed login events

Posted on 2014-10-15
14
Medium Priority
?
324 Views
Last Modified: 2014-10-30
I need to be able to see an event every time a user enters an incorrect password when trying to log in to the domain.  I also need to be able to see where the request originated from.  I can see event 4771 which shows the following:

Kerberos pre-authentication failed.

Account Information:
      Security ID:            DOMAIN\jdoe
      Account Name:            jdoe

Service Information:
      Service Name:            krbtgt/DOMAIN

Network Information:
      Client Address:            ::ffff:x.x.x.x
      Client Port:            64566

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

The problem is the client address listed is one of the domain controllers, not the actual thin client where the login attempt was made.  Where can I find the actual IP address where the request was made?
0
Comment
Question by:fallriverelectric
  • 7
  • 2
  • 2
  • +1
14 Comments
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40383902
you have to monitor EVERY domain controller's event logs and on those servers set a trigger on a failed login
0
 

Author Comment

by:fallriverelectric
ID: 40386725
Are you saying if I set the syslog to monitor from both domain controllers rather than just one I'll see more specific events than this kerberos pre-authentication that I am already seeing?
0
 

Author Comment

by:fallriverelectric
ID: 40386895
In addition, I'd like to see 4740 events.  I just intentionally mis-typed the password on an account until it locked out, but I can't find an event for it anywhere in the event log.  I believe this should be a 4740 but when I search for that event ID I find nothing.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40387310
your default domain controllers policy do you audit both successful and failed logon events?
http://support.microsoft.com/kb/814595

So, when you see a number of failed logins on a client server with incorrect credentials (Event ID: 529) or detect an attempt to logon by repetition of a user’s credentials (Event ID: 553), you can sniff a rogue attack.

Complete list of logon events
http://technet.microsoft.com/en-us/library/cc787567%28WS.10%29.aspx
0
 

Author Comment

by:fallriverelectric
ID: 40387391
Yes, I have it set up to audit both successful and failed logon events as indicated in your link.  I should have specified this previously but I'm using Server 2008 R2.
0
 

Author Comment

by:fallriverelectric
ID: 40387556
I tried Microsoft's Account Lockout tool - EventCombMT - but there are just no lockout events listed on any of the domain controllers.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40410375
Lets try to interpret kerberos error (http://www.ietf.org/rfc/rfc4120.txt)
PA-ENC-TIMESTAMP            2


Is time synchronized between two DCs?
Is same done on clients?
0
 

Author Comment

by:fallriverelectric
ID: 40411131
Yes, time is synchronized between all 3 DCs and the clients.
0
 
LVL 17

Expert Comment

by:StrifeJester
ID: 40411383
When you have multiple domain controllers and you see this event on one of them the reason it lists the DC IP is because that is the DC that the authentication came into. You are seeing the event on a different DC because those events are passed to the other DCs. If you log onto the DC in the event you will then see the IP of the client. This can be a pain when it comes to actually tracking down what is locking an account since you might have to jump back and forth between a few domain controllers. An account lockout event 4740 should show up on all DCs when the event happens.

You will also see events from other services as well not just the PC if that is that is where the error is coming from. We have a user that forgets to update his password on his iPad regularly and it constantly locks out his account on the Domain.

Pick your favorite domain controller and open the event view, find the entry which will point you back to the domain controller where the bad authentication came from and then track down that exact same time stamped matching event and you should see the device that sent the bad password.

A 4740 actually shows up as an Audit Success so if you are filtering on both failure and 4740 you will never see it.
0
 

Author Comment

by:fallriverelectric
ID: 40411814
I think the reason my bad password attempts are not showing the physical IP is because they are all coming from thin clients.  I'm getting two events for each of these attempts - one from the DC IP, and one from the application (in this case, VMware) IP, and none for the thin client IP.  I guess there is nothing that can be done about this?  

My 4740 events have begun showing up.  I am not sure why, because I have changed nothing since the beginning of this thread.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40411917
And is time synchronized on "vmware" and on "thin client" too?
0
 

Author Comment

by:fallriverelectric
ID: 40413484
No, I am not even sure the thin client has a time.
0
 
LVL 17

Accepted Solution

by:
StrifeJester earned 2000 total points
ID: 40413702
The VMware application runs locally on the thin client but you are correct it is going to only give you the host IP of the machine since the VMware application does not authenticate. If you are doing application virtualization then all of your failed attempts will come from the app server that is trying to authenticate the user. If you are doing full desktop virtualization then you would see it individual IPs. The initial authentication though will come from the VMware broker that is checking the user credentials before it starts to deliver content.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question