Solved

failed login events

Posted on 2014-10-15
14
263 Views
Last Modified: 2014-10-30
I need to be able to see an event every time a user enters an incorrect password when trying to log in to the domain.  I also need to be able to see where the request originated from.  I can see event 4771 which shows the following:

Kerberos pre-authentication failed.

Account Information:
      Security ID:            DOMAIN\jdoe
      Account Name:            jdoe

Service Information:
      Service Name:            krbtgt/DOMAIN

Network Information:
      Client Address:            ::ffff:x.x.x.x
      Client Port:            64566

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

The problem is the client address listed is one of the domain controllers, not the actual thin client where the login attempt was made.  Where can I find the actual IP address where the request was made?
0
Comment
Question by:fallriverelectric
  • 7
  • 2
  • 2
  • +1
14 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40383902
you have to monitor EVERY domain controller's event logs and on those servers set a trigger on a failed login
0
 

Author Comment

by:fallriverelectric
ID: 40386725
Are you saying if I set the syslog to monitor from both domain controllers rather than just one I'll see more specific events than this kerberos pre-authentication that I am already seeing?
0
 

Author Comment

by:fallriverelectric
ID: 40386895
In addition, I'd like to see 4740 events.  I just intentionally mis-typed the password on an account until it locked out, but I can't find an event for it anywhere in the event log.  I believe this should be a 4740 but when I search for that event ID I find nothing.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40387310
your default domain controllers policy do you audit both successful and failed logon events?
http://support.microsoft.com/kb/814595

So, when you see a number of failed logins on a client server with incorrect credentials (Event ID: 529) or detect an attempt to logon by repetition of a user’s credentials (Event ID: 553), you can sniff a rogue attack.

Complete list of logon events
http://technet.microsoft.com/en-us/library/cc787567%28WS.10%29.aspx
0
 

Author Comment

by:fallriverelectric
ID: 40387391
Yes, I have it set up to audit both successful and failed logon events as indicated in your link.  I should have specified this previously but I'm using Server 2008 R2.
0
 

Author Comment

by:fallriverelectric
ID: 40387556
I tried Microsoft's Account Lockout tool - EventCombMT - but there are just no lockout events listed on any of the domain controllers.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 61

Expert Comment

by:gheist
ID: 40410375
Lets try to interpret kerberos error (http://www.ietf.org/rfc/rfc4120.txt)
PA-ENC-TIMESTAMP            2


Is time synchronized between two DCs?
Is same done on clients?
0
 

Author Comment

by:fallriverelectric
ID: 40411131
Yes, time is synchronized between all 3 DCs and the clients.
0
 
LVL 17

Expert Comment

by:StrifeJester
ID: 40411383
When you have multiple domain controllers and you see this event on one of them the reason it lists the DC IP is because that is the DC that the authentication came into. You are seeing the event on a different DC because those events are passed to the other DCs. If you log onto the DC in the event you will then see the IP of the client. This can be a pain when it comes to actually tracking down what is locking an account since you might have to jump back and forth between a few domain controllers. An account lockout event 4740 should show up on all DCs when the event happens.

You will also see events from other services as well not just the PC if that is that is where the error is coming from. We have a user that forgets to update his password on his iPad regularly and it constantly locks out his account on the Domain.

Pick your favorite domain controller and open the event view, find the entry which will point you back to the domain controller where the bad authentication came from and then track down that exact same time stamped matching event and you should see the device that sent the bad password.

A 4740 actually shows up as an Audit Success so if you are filtering on both failure and 4740 you will never see it.
0
 

Author Comment

by:fallriverelectric
ID: 40411814
I think the reason my bad password attempts are not showing the physical IP is because they are all coming from thin clients.  I'm getting two events for each of these attempts - one from the DC IP, and one from the application (in this case, VMware) IP, and none for the thin client IP.  I guess there is nothing that can be done about this?  

My 4740 events have begun showing up.  I am not sure why, because I have changed nothing since the beginning of this thread.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40411917
And is time synchronized on "vmware" and on "thin client" too?
0
 

Author Comment

by:fallriverelectric
ID: 40413484
No, I am not even sure the thin client has a time.
0
 
LVL 17

Accepted Solution

by:
StrifeJester earned 500 total points
ID: 40413702
The VMware application runs locally on the thin client but you are correct it is going to only give you the host IP of the machine since the VMware application does not authenticate. If you are doing application virtualization then all of your failed attempts will come from the app server that is trying to authenticate the user. If you are doing full desktop virtualization then you would see it individual IPs. The initial authentication though will come from the VMware broker that is checking the user credentials before it starts to deliver content.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now