none
AD accounts not getting locked out properly ID 4771

    Question

  • hi,

    We have AD 2008, Client Windows Server 2012,

    One of the user have Scheduled task running with his own credential, when his password is expired he changed the Password But he didnt apply new password to Scheduled task which end up with Kerberos pre-authentication failed. alert the count of this event is more than threshold of the Account lockout, My question is why it didnt lock the account??

    Detailed log message is as below

    <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4771</EventID><Version>0</Version><Level>Information</Level><Task>Kerberos Authentication Service</Task><Opcode>Info</Opcode><Keywords>Audit Failure</Keywords><TimeCreated SystemTime='2014-06-22T12:01:18.808240300Z'/><EventRecordID>28283541</EventRecordID><Correlation/><Execution ProcessID='504' ThreadID='3484'/><Channel>Security</Channel><Computer>xx.xx.local</Computer><Security/></System><EventData>Kerberos pre-authentication failed.

    Account Information:
        Security ID:        xxxxxxxx\xx.xx
        Account Name:        xx.xx

    Service Information:
        Service Name:        krbtgt/xx

    Network Information:
        Client Address:        ::ffff:xx.xx.xx.xx
        Client Port:        50081

    Additional Information:
        Ticket Options:        0x40810010
        Failure Code:        0x18
        Pre-Authentication Type:    2

    Certificate Information:
        Certificate Issuer Name:        
        Certificate Serial Number:     
        Certificate Thumbprint:        

    Certificate information is only provided if a certificate was used for pre-authentication.

    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.</EventData></Event>

    Please let me know why this is not locking the account??


    Wednesday, June 25, 2014 6:42 PM

Answers

All replies