Sign in
 
HomeWindows 8Windows 7Windows VistaWindows XPMDOPWindows IntuneLibraryForums
Windows Client >
Security-kerberos Event ID 14 . credential manager causes system to login to network with invalid password and lock the account.

Answered Security-kerberos Event ID 14 . credential manager causes system to login to network with invalid password and lock the account.

  • Saturday, October 23, 2010 2:59 PM
     
     
    Sign In to Vote
    0

    Hi ,

    I am running windows 7 professional 64 bit on a quadcore xeon machine.

    My company IT policy requires that we change our account passwords every 2 months. After the last password change , my computer is locking me out of the network by trying to login with an invalid password stored somewhere in the credential manager. I have tried clearing the credential manager many times , no use. we checked all my machines, virtual machines, network drives, printers, none of them seem to solve the problem.

    Our IT specialist has checked our machines multiple times and found nothing.

    so far we know of two machines with the same configuration causing this problem. The only way to avoid being locked out is to turn off my machine at night.  The login attempts occur at 5:00 am in the morning every day .

    The event viewer reports the following event .

    Log Name:      System
    Source:        Microsoft-Windows-Security-Kerberos
    Date:          10/22/2010 5:00:31 AM
    Event ID:      14
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      computername.network.com
    Description:
    The password stored in Credential Manager is invalid. This might be caused by the user changing the password from this computer or a different computer. To resolve this error, open Credential Manager in Control Panel, and reenter the password for the credential Email removed for privacy.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
        <EventID Qualifiers="32768">14</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2010-10-22T10:00:31.000000000Z" />
        <EventRecordID>1150222</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>System</Channel>
        <Computer>computername.network.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="Username">username@network</Data>
        <Binary>6A0000C0</Binary>
      </EventData>
    </Event>

     

    This event was soon followed by this event.

    Log Name:      System
    Source:        LsaSrv
    Date:          10/22/2010 5:00:32 AM
    Event ID:      40960
    Task Category: None
    Level:         Warning
    Keywords:      
    User:          SYSTEM
    Computer:      computername.network.com
    Description:
    The Security System detected an authentication error for the server cifs/storage.network.com. The failure code from authentication protocol Kerberos was "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
     (0xc0000234)".
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
        <EventID>40960</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2010-10-22T10:00:32.192035600Z" />
        <EventRecordID>1150223</EventRecordID>
        <Correlation />
        <Execution ProcessID="544" ThreadID="5464" />
        <Channel>System</Channel>
        <Computer>computername.network.com</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="Target">cifs/storage.network.com</Data>
        <Data Name="Protocol">Kerberos</Data>
        <Data Name="Error">"The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
     (0xc0000234)"</Data>
      </EventData>
    </Event>

     

    We are at wits end. we cannot re-image our machine, as it will take many days to get all our tools reinstalled and configured.

    We tried everything on the forums about this issue. and still nothing.This feels like a win 7 bug.

    If anyone can help up solve this issue , it will be greatly appreciated.

    Thanks

    Victor Selvaraj

     

All Replies

  • Thursday, October 28, 2010 11:08 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

     

    I found this sentence “The login attempts occur at 5:00 am in the morning every day.”  This is strange.

     

    Which operation would affect account at that time? How about other accounts?

     

    In addition, you could use the account lockout tools to troubleshoot this problem, please refer to:

     

    Account Lockout Tools

     

    Regards,

    Alex Zhao

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
     
  • Thursday, October 28, 2010 3:42 PM
     
     
    Sign In to Vote
    0

    Hi Alex,

    Since last week, the lockout has been happening at random times. Its not consistent anymore.

    Another Engineer in my team is also having the same Issue . We have exhausted almost all the places we could look for possible tasks or processes. But we could find nothing.

    My computer continues to lock me out .unless I power it down every night.

    Any help with this is greatly appreciated.

    Victor

     

    Victor Selvaraj
     
  • Friday, January 14, 2011 2:57 PM
     
     
    Sign In to Vote
    0

    I've run into the same problem.  It tends to happen overnight if I leave my computer on but it's not consistently at the same time and will happen during the day as well.  My credential manager is completely empty, no services or tasks are running under my user id.  This all started after I changed my active directory password last month. 

    Any chance anyone has discovered a solution for this? I'm having no luck with searching.

     
  • Friday, January 21, 2011 9:36 PM
     
     Answered
    Sign In to Vote
    6

    Microsoft Support found the problem for us.  Our domain accounts were locking when a Windows 7 computer was started.  The Windows 7 computer had a hidden old password from that domain account.

    There are passwords that can be stored in the SYSTEM context that can't be seen in the normal Credential Manager view.

    Download PsExec.exe from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it to C:\Windows\System32 .

    From a command prompt run:    psexec -i -s -d cmd.exe

    From the new DOS window run:  rundll32 keymgr.dll,KRShowKeyMgr

    Remove any items that appear in the list of Stored User Names and Passwords.  Restart the computer.

     

     
  • Tuesday, May 10, 2011 8:12 PM
     
     
    Sign In to Vote
    0

    This worked for us!  Almost four months of struggling with this.  Thank you so much!!

     
  • Thursday, September 08, 2011 7:55 PM
     
     
    Sign In to Vote
    0

    I have the same problem. I tried the suggested solution, however there were no stored passwords.

    Any other ideas?

     
  • Tuesday, September 13, 2011 7:30 PM
     
     
    Sign In to Vote
    0
    I used the same approach, but still doing the lockout.

     

    Microsoft Support found the problem for us.  Our domain accounts were locking when a Windows 7 computer was started.  The Windows 7 computer had a hidden old password from that domain account.

    There are passwords that can be stored in the SYSTEM context that can't be seen in the normal Credential Manager view.

    Download PsExec.exe from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it to C:\Windows\System32 .

    From a command prompt run:    psexec -i -s -d cmd.exe

    From the new DOS window run:  rundll32 keymgr.dll,KRShowKeyMgr

    Remove any items that appear in the list of Stored User Names and Passwords.  Restart the computer.

     


     
  • Tuesday, January 24, 2012 6:02 PM
     
     
    Sign In to Vote
    0
    This solved my problem too!  But be carefull about deleting ANY stored credentials.  It is normal for scheduled tasks to store credentials in the context of the system account.    I found one entry that needed to be deleted, for a file server that was used by some of my scheduled tasks.  It seems that entry was being used for any access to the file server by tasks that ran under system account....causing the task to fail and the account in the stored credential to be locked.  Deleting the superflous credential entry (but not the stored credentials for other scheduled tasks) solved the problem!
     
  • Thursday, April 26, 2012 7:15 AM
     
     
    Sign In to Vote
    0

    Hi,

    unfortunately, we got the same issue on some machines. On an affected client there are no stored information. The domain user accounts are locked 5 - 6 times a day. Any (other) ideas?

    Greetings


    • Edited by untalentiert Thursday, April 26, 2012 7:39 AM
    •  
     
  • Monday, September 03, 2012 11:08 AM
     
     
    Sign In to Vote
    0

    Yes, it works. I've tried to solve this issue for a year and a half. I'm so glad :)

    But what's the reason? Why credentials become hidden and of course wrong?

     
  • Thursday, September 13, 2012 11:41 AM
     
     
    Sign In to Vote
    0

    Allright. Just what i needed. I was troubleshooting this for two days now.

    First run from the command line rundll32 keymgr.dll,KRShowKeyMgr and remove any passwords that you might suspect would cause the problems from the USERS storage.

    Restart the computer.

    In case this didn't help proceed with

    Download PsExec.exe from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it to C:\Windows\System32 .
    From a command prompt run:    psexec -i -s -d cmd.exe
    From the new DOS window run: rundll32 keymgr.dll,KRShowKeyMgr

    Restart the computer.

    For everyone that may try this. The psexec command line is important. You have to run it before the kymgr.dll command line so that you access the storage under SYSTEM context.

    Thanks for the help, this realy helped.

    BR.

     
  • Sunday, September 23, 2012 5:41 AM
     
     
    Sign In to Vote
    0

    I have this same problem, only there are a multiple computers with the embeded credential. Remoting into each to apply the solution will be extremely time consuming.

    Is there a way to script this and run it remotely against the list of computers?

    Thank you.

    JP

     
  • Monday, December 03, 2012 3:52 PM
     
     
    Sign In to Vote
    0

    Microsoft Support found the problem for us.  Our domain accounts were locking when a Windows 7 computer was started.  The Windows 7 computer had a hidden old password from that domain account.

    There are passwords that can be stored in the SYSTEM context that can't be seen in the normal Credential Manager view.

    Download PsExec.exe from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it to C:\Windows\System32 .

    From a command prompt run:    psexec -i -s -d cmd.exe

    From the new DOS window run:  rundll32 keymgr.dll,KRShowKeyMgr

    Remove any items that appear in the list of Stored User Names and Passwords.  Restart the computer.

     

    This was the solution for me too. Apparently, I had logged into file server from user's laptop and of course, our network passwords had changed. Each day, my own account would become locked out and with the help of our System Engineers, I was able to track down which user's laptop this was happening from.
     
  • Tuesday, December 04, 2012 7:16 AM
     
     
    Sign In to Vote
    0

    This was the solution for me too. Apparently, I had logged into file server from user's laptop and of course, our network passwords had changed. Each day, my own account would become locked out and with the help of our System Engineers, I was able to track down which user's laptop this was happening from.


    Have you found the reason? I mean why computers can't recieve a new password from the AD server. Is it a Kerberos issue or something like that?
     
  • Thursday, February 14, 2013 7:22 PM
     
     
    Sign In to Vote
    0

    Many thanks for a perfect solution to a problem that had me baffled for over a month.  I'm quite perplexed why authentication to a resource would have been cached and made so difficult to remove.

    Also critical to the resolution is to inspect your AD server's Security event log for ID 644 which will list the offending computer or ID 675 which will list the IP address.  In my case, the problem was not just my computer but a few others that had my cached credentials.

    Again, many thanks!