account get locks out every few minutes

Posted on 2014-12-01
Medium Priority
Last Modified: 2014-12-19
Hi Guys,

MY ID gets locked out every few minutes, source lockout shows it is from the VCenter server.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          12/1/2014 12:55:17 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
An account failed to log on.

      Security ID:            SYSTEM
      Account Name:            
      Account Domain:            AIA
      Logon ID:            0x3E7

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            
      Account Domain:            

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xC000006D
      Sub Status:            0xC000006A

Process Information:
      Caller Process ID:      0xa5c
      Caller Process Name:      D:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\VMwareIdentityMgmtService.exe

Network Information:
      Workstation Name:      
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <TimeCreated SystemTime="2014-12-01T04:55:17.674049100Z" />
    <Correlation />
    <Execution ProcessID="588" ThreadID="11872" />
    <Security />
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName"></Data>
    <Data Name="SubjectDomainName"></Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName"></Data>
    <Data Name="TargetDomainName"></Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc000006a</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">Advapi  </Data>
    <Data Name="AuthenticationPackageName">Negotiate</Data>
    <Data Name="WorkstationName"></Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0xa5c</Data>
    <Data Name="ProcessName">D:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\VMwareIdentityMgmtService.exe</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
Question by:gihrnm
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1

Author Comment

ID: 40475074
I have tried few things -

1) Reset password to more complex alphanumerics
2) Removed epo McAfee from my desktop ( network traces from the Vcentre server shows https request being made to the epo server)
3) Disconnect all the shared drives from my desktop

I suspect could be due to one of the VM console which I might login and the acc locks out due to proxy credentials or share drive mapping..since we have almost 700 vm guests, I can't think of login to each of the server..

Anyway I can find the the "real" lockout source?  Thank's guys
LVL 11

Expert Comment

ID: 40475125
Check if the following are mapped under your credentials on that system:

Services (Start>>run>>services.msc)
Scheduled Tasks (Under Control Panel)
Mapped drives (Disconnect them all perhaps, or run an app such as Ccleaner with the option "Delete Saved Network Passwords"

An easier method in my opinion is to log in as administrator on the server in question, and deleting your profile on that server. It will simply re-create at logon. Just make sure you copy off any data you wish to retain first. (http://support2.microsoft.com/kb/2462308)

If you do wish to have more detailed info on lockout source try an app such as Netwrix Account Lockout Monitor (Free version)

LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40475134
It appears to be the VMWARE management service that has an old password
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.


Author Comment

ID: 40475206
I have tried deleting my profile but still same result and tried using lockoutstatus.exe / tcpip packet tracer..it shows account lockout source is from this Vcentre server..when I go thru the sec log of this server, I'm seeing event id 4625..

by the way I'm part of domain admin group..

Anyone knows what is this "VMwareIdentityMgmtService.exe" does? Search result does not show much information..
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40475216
check the services that run on that computer!
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40476081
This is most likely a VMWare Vcenter service on the Vcenter computer which you configured to run as your account.

FYI - you never, ever want to configure a service to run as any domain account except for domain accounts created specifically for that purpose. E.g. if it is a vcenter service, create an A.D. vcenter service account and only use the account for that service - nothing else. You also most likely don't need to grant domain admin rights to the service account either.

So create a new service account, find in Vcenter where the service account credentials are configured and change them to the new dedicated vcenter service account.
LVL 11

Expert Comment

ID: 40477106
As per David Johnson's comment. Go to services (start>>run>> type services.msc and press OK
From there sort services by logon account, and look for a VMWare service with your credentials on it.
When located, change it to network or system logon, depending on what the recommendation is from VMWare tech articles (Heck, could even be a domain service account in some scenarios I guess).

Author Comment

ID: 40477779
well i have check on the services,task scheduler,mapped shared drive and nothing runs under my account in VCenter server..

I have manage to narrow down the issue...
from the vSphere Client event logs, I'm able to see error "cannot login" for my ID @ IP address of bsm server (blade server matrix)

I have tried delete my profile from the bsm server, change my password from the bsm server, checked if there is any service running on my account... however issue still persists

Still I'm suspecting it could be due to one of the vm guests server under this blade.. but there are 12 esx server and more than 100 guests running on this bsm...:(

Type: error   User: xxx

event        12/3/2014 11:21:30 AM,        Cannot login xxxx@10.x.x.x.


A user attempted to log in with an unknown or invalid username

Possible causes:

Cause: The username is unknown to the system

    Action: Use a username that is included in the system user directory

    Action: On Linux, verify that the user directory is correctly configured

    Action: If you are using Active Directory, check the health of the domain controller

Cause: The user provided an invalid password

    Action: Supply the correct password

I'm seeing following error as well...not sure if this is related (this is under system logs vpxd profiler)

--> /ActivationStats/Task/Actv='vim.VirtualMachine.shutdownGuest'/OpMoLockStats/LockId='vim.HostSystem'/Mode='SHARE'/DBExec/TotalTime/total 0
--> /ActivationStats/Task/Actv='vim.VirtualMachine.shutdownGuest'/OpMoLockStats/LockId='vim.HostSystem'/Mode='SHARE'/Locked/TotalTime/max 1
--> /ActivationStats/Task/Actv='vim.VirtualMachine.shutdownGuest'/OpMoLockStats/LockId='vim.HostSystem'/Mode='SHARE'/Locked/TotalTime/mean 0
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40480650
If it were coming from one of the guest VMs then the log would show the IP address of that guest VM and not the IP of the bsm itself.

Accepted Solution

gihrnm earned 0 total points
ID: 40499448
well it was from one of the guest VMs..somehow i have accidentally saved my password during proxy authentication..the esx sits under this bsm..

from the server -> Control Panel\All Control Panel Items\Credential Manager   - deleted windows credentials

Author Closing Comment

ID: 40508799
well this solved my issue:)

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
A procedure for exporting installed hotfix details of remote computers using powershell
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question