none
Multiple accounts getting locked out.

    Question

  • Hi,

    We are running Active Directory 2008 R2 in a mixed domain because we still have 1 2003 DC.
    Several of our AD accounts constantly get locked out, especially mine which gets locked out about 2-3 times a day.
    I've used the altools and from the DC's security logs i have traced it down to my laptop. I've checked all the usuals on my laptop, network drives, scheduled tasks, services, scripts etc. Please dont suggest the obvious.
    Ive enabled kerberos client logging on my PC but the system event logs dont tell me much, just these:

    A Kerberos Error Message was received:

    on logon session

    Client Time:

    Server Time: 5:14:18.0000 7/16/2013 Z

    Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP

    I've followed this article to enable NETLOGON logs on the domain controller.

    http://msviennatechnoblog.wordpress.com/2011/12/05/ad-enable-netlogon-debug-logging/

    in the netlogon logs, i get these entries which is about the same time my acct gets locked out

    07/16 14:12:50 [LOGON] DOMAIN: SamLogon: Transitive Network logon of domain\user from mylaptop (via domain controller) Entered
    07/16 14:12:50 [LOGON] DOMAIN: SamLogon: Transitive Network logon of domain\user from mylaptop (via domain controller) Returns 0xC000006A

    I've tried usiing netmon and process explorer to see what process on my laptop is trying to authenticate but its a bit hard to trace.

    Does anybody have any experience in tracing this kind of issue.

    For all the other users affected i have traced it down to their desktop/laptops but what im looking for is what its trying to do to when it gets locked out.

    Something also wierd about this is our DBA had this issue today and his password hasnt change in 4 years!!! And he said he wasnt even trying to authenticate when this happened and i believe him.

    I know in Windows XP there used to be a tool called alockout.dll but i dont think this works with Win7. Does anybody know if this tool works with Win7 64bit?

    any help or suggestions appreciated.

    Tuesday, July 16, 2013 5:47 AM

All replies

  •  I've checked all the usuals on my laptop, network drives, scheduled tasks, services, scripts etc. Please dont suggest the obvious.

    Would you please list down "all" the obvious things which you had already tried ? this would help community members to suggest something else or suggest new things.

    Regards, Santosh | MVP

    I do not represent the organisation I work for, all the opinions expressed here, are my own.

    This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Blog | Wiki

    Tuesday, July 16, 2013 6:41 AM
    Moderator
  • Hi Santosh,

    some of the obvious things ive looked at are:

    network drives, scheduled tasks, services, network drives in registry HKCU, start up scripts, saved passwords in IE, saved credentials in user accounts control panel (i've cleared these), cleared saved password in Citrix receiver client, checked that i dont have disconnected Terminal server sessions.
    Ive also ran tests on our AD replication and all fine, my account isnt tied to any services on any remote computers.

    Tuesday, July 16, 2013 6:58 AM
  • Thanks for the details.

    To start with,

    I hope, AV and Patches are up to date on the machines. If not, this is a high time now to update them.

    Do you have any printers mapped on the affected user machines ? If yes, did you try deleting them ?

    Also, try re-creating User profile on sampling basis.




    Regards, Santosh | MVP

    I do not represent the organisation I work for, all the opinions expressed here, are my own.

    This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Blog | Wiki

    Tuesday, July 16, 2013 8:42 AM
    Moderator
  • The 'etype' error message makes me suspect this is related to your mixed mode domain, try enabling Netlogon debug logging on all DC's and check if it's only the W2k3 or W2K8 R2 DC's that generate the inital lockout. A possible scenario is if an etype has been used in the encryption of the users password that a W2k3 DC doesn't support (or vice versa).
    Wednesday, July 24, 2013 2:05 PM
  • antivirus and patches are up to date.

    i could recreate my windows profile and reimage my PC and it will probably fix the issue but i'd rather find the root cause of this issue as its happening intermittently everywhere.

    Ingolfur, thats an interesting point about the mixed domain. I have enabled netlogon debug mode on the W2K8 DC's but not on the W2K3 DC. Also the initial lockouts come from the w2k8 DC's and not usually from the w2k3 DC. Whats strange is that the bad password goes over the WAN to remote site DC's that im not working on as well. Ill enable logging on the w2k3 DC and see if that gives me any clues.

    But those logs only seem to tell me the codes for bad username and password and what PC is failing the authentication.  I need to somehow trouble shoot it from the PC's and look at what is causing it to authenticate. I suspect it could be some residual affects of the conficker virus as i have learned that we used to be infected with this 3 years ago before my time. But i have scanned my PC and used the Microsoft articles and tools to detect if im infected and it comes up clean.

    Wednesday, July 24, 2013 11:03 PM
  • Hi,

    a few useful blog posts on AskDS, the first may help you with diagnostic approach:

    http://blogs.technet.com/b/askds/archive/2012/07/27/kerberos-errors-in-network-captures.aspx

    {specifically, this section:

    KDC_ERR_ETYPE_NOTSUPP    
       
    Here, the client has requested a ticket from the domain controller with a specific algorithm of which the domain controller does not have a hash. In the request, the client will list all the algorithms it supports. The domain controller will pick the highest one that it supports and returns the ticket encrypted with that algorithm. If there are no matches, the domain controller returns KDC_ERR_ETYPE_NOTSUPP.

    One common cause of this is older devices that are requesting DES encrypted tickets. By default, DES encryption is disabled in Windows 7 and Windows Server 2008 R2. Ideally, you should update those devices or Kerberos clients to support the newer encryption algorithms. If they cannot be upgraded or replaced, then you can enable DES through group policy. For a good way to find these devices, I recommend reading Hunting down DES in order to securely deploy Kerberos by Ned Pyle.

    Another common cause of this is when a device requests an AES encrypted tickets before you raise the functional level of the domain to 2008 or higher. This does not typically occur on Windows clients as they request the legacy algorithms in addition to AES. This scenario is more likely to occur on Unix/Linux systems where an administrator specifies a single algorithm in the krb5.conf file. In this case, raise the functional level of the domain or configure the client to utilize another algorithm, like RC4-HMAC.

    If the client is requesting an algorithm that the domain controller should support, but is still returning the error, try resetting the password on the account and wait for replication to converge. Resetting the password regenerates the hashes stored in the directory.

    Note: Domain controllers do not store the password of the user. Instead, they store various hashes of the password using various algorithms.      }

    http://blogs.technet.com/b/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx

    http://blogs.technet.com/b/askds/archive/2008/05/14/troubleshooting-kerberos-authentication-problems-name-resolution-issues.aspx

    http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx

     


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Wednesday, July 24, 2013 11:51 PM clarity
    Wednesday, July 24, 2013 11:47 PM