CHI-LTD
asked on
Windows account(s) sporadically gets locked
I cannot find why this is occurring, normally a couple of time a year for users with a desktop PC, exchange active sync device and laptop connecting over VPN.
So my users account would lock generally after they have changed their windows password. 9 times out of 10 the password change synchronises and all three devices work fine, however on occasion they don't and the users account locks. Even after a manual enable of account and change of password doesn't resolve issue.
I had the same problem today. The user brought in their laptop and ipad. The ipad synchronised fine with their new password. The laptop didn't. The setup here is that the user would enter the old expired PW (as laptop not on the LAN), connect to the VPN entering latest PW, lock and unlock machine to synchronise the PW.
I managed to replicate the problem today. The laptop locked the account after one attempt of new PW. Unlocking the user account and retrying seems to have resolved it.
I see the following in the PDC event log:
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Logon Account: user
Source Workstation:
Error Code: 0xc000006a
-------------------------- --------
and shed load of these:
Kerberos pre-authentication failed.
Account Information:
Security ID: S-1-5-21-1960408961-884357 618-839522 115-1683
Account Name: user
Service Information:
Service Name: krbtgt/DOMAIN.LOCAL
Network Information:
Client Address: ::ffff:10.255.255.43 this is the VPN WAN IP
Client Port: 49452
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
I cannot see whats causing this. Ideas?
Thanks
So my users account would lock generally after they have changed their windows password. 9 times out of 10 the password change synchronises and all three devices work fine, however on occasion they don't and the users account locks. Even after a manual enable of account and change of password doesn't resolve issue.
I had the same problem today. The user brought in their laptop and ipad. The ipad synchronised fine with their new password. The laptop didn't. The setup here is that the user would enter the old expired PW (as laptop not on the LAN), connect to the VPN entering latest PW, lock and unlock machine to synchronise the PW.
I managed to replicate the problem today. The laptop locked the account after one attempt of new PW. Unlocking the user account and retrying seems to have resolved it.
I see the following in the PDC event log:
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_P
Logon Account: user
Source Workstation:
Error Code: 0xc000006a
--------------------------
and shed load of these:
Kerberos pre-authentication failed.
Account Information:
Security ID: S-1-5-21-1960408961-884357
Account Name: user
Service Information:
Service Name: krbtgt/DOMAIN.LOCAL
Network Information:
Client Address: ::ffff:10.255.255.43 this is the VPN WAN IP
Client Port: 49452
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
I cannot see whats causing this. Ideas?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry ipad using EAS using Windows password effectively
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i think there is some software using an old password...
So -- I'll assume you mean that the new password works to access their email on the iPad? Where is your email hosted? Is it on-site or Office365?
Jeff
TechSoEasy