Account lockout on new XenApp 7.6 farm - Kerberos??

We have a XenApp 6.0 farm (40 XenApp servers from PVS) which gives a published server desktop to about 700 users who user thin client devices locally to connect.  Users on this are fine.

I have a new XenApp 7.6 farm (I made a copy of the PVS vDisk then upgraded XenApp), and I've moved three guinea pig users over to it permanently.  Two of the three test users report no problems, but for one user her account keeps locking out - about 5 times a day.

Microsoft's Account Lockout Status give a bit of info, but not much.

Enabling Kerberos logging (LogLevel=1 in the Registry) gives loads of Kerberos errors on everything - Delivery Controllers, XenApp 7.6 VDAs, Domain Controllers.  Here are an example...


(1)

The XenApp server is showing loads of these errors, every 5 minutes or less...

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          03/11/2015 09:45:30
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xen40.domain.local
Description:
A Kerberos Error Message was received:
 on logon session
 Client Time:
 Server Time: 9:45:30.0000 11/3/2015 Z
 Error Code: 0x12 KDC_ERR_CLIENT_REVOKED
 Extended Error:
 Client Realm:
 Client Name:
 Server Realm: DOMAIN.LOCAL
 Server Name: HTTP/autodiscover.domain.local
 Target Name: HTTP/autodiscover.domain.local@DOMAIN.LOCAL
 Error Text:
 File: 9
 Line: f0a
 Error Data is in record data.


(2)


Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          03/11/2015 06:37:58
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xen40.domain.local
Description:
A Kerberos Error Message was received:
 on logon session
 Client Time:
 Server Time: 6:37:58.0000 11/3/2015 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm:
 Client Name:
 Server Realm: DOMAIN.LOCAL
 Server Name: xen40$@DOMAIN.LOCAL
 Target Name: xen40$@DOMAIN.LOCAL@DOMAIN.LOCAL
 Error Text:
 File: 9
 Line: f0a
 Error Data is in record data.


(3)

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          04/11/2015 11:20:34
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xen39.domain.local
Description:
A Kerberos Error Message was received:
 on logon session DOMAIN.LOCAL\xen39$
 Client Time:
 Server Time: 11:20:33.0000 11/4/2015 Z
 Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
 Extended Error:
 Client Realm:
 Client Name:
 Server Realm: DOMAIN.LOCAL
 Server Name: krbtgt/DOMAIN.LOCAL
 Target Name: krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
 Error Text:
 File: e
 Line: a05
 Error Data is in record data.



The problem user is different from the other two in that she comes in from a remote site over broadband via NetScaler - the other two using thin clients locally.  But this may be a red herring, because we have dozens of users coming in over NetScaler to the XenApp 6.0 desktop and they are fine.

Any possible explanation for either the lockouts, the Kerberos errors, or both?

Thanks.
meirionwylltSenior Desktop EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
I do not think this has anything to do with the location of logon. However it is likely something directly on the machine, as it has stated it is being locked out on your Xenapp Server.

Because you already know the computer you are 90% there. What does the user open on this machine? Is there a service, task, software that might have cached her creds somehow? Have you tried to get the user to login locally on this machine and see if this issue continues?

Will.
0
meirionwylltSenior Desktop EngineerAuthor Commented:
Hello Will,

There shouldn't be any cached credentials, because I have enabled the Group Policy setting "Network Access: Do not allow storage of passwords and credentials for network authentication".  Do you anywhere else I might need to switch off to prevent caching of credentials?

All the services on the XenApp servers (on the PVS image) are all set to run under either Local System, Network Service or Local Service.  There won't be any cached credentials inside the user profile, because I have deleted the profile fully in order to try to fix the problem but it didn't.

I have now had to increase the Account Lockout Threshold to 12, which is not ideal.

Thing is, I'm not actually sure which computer it is locking out on, because although they are logged into the XenApp server, it only when connecting to services on other machines (e.g. email, network shares) that the Windows Security prompt comes up.  So I'm none the wiser if it's coming from where her desktop is, or it happens when she connects to a network resource, e.g. she always has Outlook 2010 open.

Looking at Account Lockout Status, most lockouts seem to derive from one particular domain controller, but not the one that the XenApp Server itself authenticates with.  This domain controller isn't the PDC either.

I've asked the user what exactly she's doing when this happens, and she says it's never any one particular thing, it can happen at any time.

Thanks.
0
Will SzymkowskiSenior Solution ArchitectCommented:
If you do not think it is anything specific with the Xenapp Server in question, I would recommend downloading Acitve Directory Auditor by Lepide Software which will give you a lot more insight on what is happening to the account.

Active Directory Auditor by Lepide Software
http://www.lepide.com/lepideauditor/active-directory-auditing.html

Will.
0
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
I second using Lepide.  In my environment, issues such as this were caused by mobile devices (mostly iPads and iPhones) on which the users did not change their password after they changed it on the PC.
0
meirionwylltSenior Desktop EngineerAuthor Commented:
Thanks for the recommendation.  I have now installed the trial, but I have no idea how to use it.  Could you explain how I would use this to help this problem?

Thanks.
0
meirionwylltSenior Desktop EngineerAuthor Commented:
Aha yes - we've come across the issue with mobile devices locking out user account before too, but this user doesn't have such a device unfortunately.
0
meirionwylltSenior Desktop EngineerAuthor Commented:
In the end I just stumbled on the answer by mistake.  The problems were due to a setting in the XenApp servers' workstation accounts in AD.  In the Delegation tab, all mine were set to 'Trust this computer for delegation to any service (Kerberos)', because I read somewhere years ago (with XenApp 6.0) that this was advised.  But this setting gave me all sorts of account locking problems under XenApp 7.6.  And moving this to 'Do not trust this computer for delegation' fixed this.  I don't know enough about Kerberos to know exactly the effect of doing this on the system as a whole, but doing this doesn't seem to have broken anything anyway.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
meirionwylltSenior Desktop EngineerAuthor Commented:
Answered myself
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Citrix

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.