로그인
 
라이브러리학습다운로드지원커뮤니티포럼
Resources for IT Professionals >
Accounts Locking on Windows 7

已答复 Accounts Locking on Windows 7

  • 2012년 5월 15일 화요일 오후 8:57
     
     
    로그인하여 투표
    0

    Hello,

    We are starting to roll out Win7.  We implemented 5 machines so far and 2 of them have a problem where the user's domain account is constantly getting locked (usually several times each day but at random intervals).  The other 3 machines are Ok, but we see errors in the domain controller event log for those also.  The event log entry is at the end of the post (I've redacted some items).  Note that we've tried the following: Removing/re-adding to the domain, running Sysprep to generate a new SID, Disabling Java updater, removing all network drive and network printer mappings, turning off Kerberos pre-authenticaion for the user account.  Any suggestions would be appreciated.

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 675
    Date:  5/15/2012
    Time:  3:05:16 PM
    User:  NT AUTHORITY\SYSTEM
    Computer: (Domain Controler's hostname)

    Description:
    Pre-authentication failed:
      User Name: Redacted
      User ID:  Domain\Redacted
      Service Name: krbtgt/PROGENICS.COM
      Pre-Authentication Type: 0x2
      Failure Code: 0x18
      Client Address: 172.16.18.133

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

     

모든 응답

  • 2012년 5월 16일 수요일 오전 3:42
    중재자
     
     
    로그인하여 투표
    0

    Hi,

    Are you in the Windows Server 2003 domain?

    If so, Windows Vista and later Windows Operating System supports the use of AES 128 and AES 256 encryption with the Kerberos authentication protocol. However, AES encryption is not supported in Windows Server 2003.

     

    When Windows 7 client sends Kerberos authentication request to DC, it uses AES to protect the authentication message. However, as Windows Server 2003 DC does not support AES, it logs a 675 event and replies back with the encryption types that it supports. The Windows 7 client then uses highest supported encryption type that the Domain Controller supports (RC4-HMAC) and successfully be able to supply Pre-Authentication.

     

    To get rid of the 675 error, you can force the Windows 7 computers to use the previous authentication method. To do so, please create the following registry value on Windows 7 computers:

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

    Name: DefaultEncryptionType

    Type: REG_DWORD

    Value: 23 (dec) or 0x17 (hex)

     

    And then, please reboot the computers.

    Regards,

    Sabrina

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Sabrina

    TechNet Community Support


     
  • 2012년 5월 16일 수요일 오후 6:12
     
     
    로그인하여 투표
    0
      Yes we are using a Windows 2003 domain.  Ok thanks will try that.
     
  • 2012년 5월 16일 수요일 오후 6:19
     
     
    로그인하여 투표
    0

    Hello,

    Another guy in our department had tried that.  He also tried

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    Name: LMCompatibilityLevel

    Value: 1

    Niether of these resolved the problem.  Any other suggestions?

    Note that the Forest is still in Windows 2000 mode so we're thinking that could be contributing to the issue.

    Thanks...

     
  • 2012년 5월 18일 금요일 오전 5:23
    중재자
     
     
    로그인하여 투표
    0

    Hi,

    Did you install the following hotfix?

    Event ID 677 and event ID 673 audit failure messages are repeatedly logged to the Security log of domain controllers that are running Windows 2000 and Windows Server 2003

    Regards,

    Sabrina

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Sabrina

    TechNet Community Support

     
  • 2012년 5월 21일 월요일 오후 9:23
     
     
    로그인하여 투표
    0
    That hotfix only surpresses the Event Log entry on the domain controller, it does not appear to have anything to do with the domain accounts locking.
     
  • 2012년 5월 23일 수요일 오전 2:44
    중재자
     
     답변됨
    로그인하여 투표
    0

    Please check if the steps in the following article help:

    Troubleshooting Account Lockout

    Also, as this issue is more related with your domain configuration, in order to get the answer effectively, it is recommended to submit a new question in Windows Server Forum.

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.

    Regards,

    Sabrina

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Sabrina

    TechNet Community Support

     
  • 2012년 5월 29일 화요일 오후 6:19
     
     
    로그인하여 투표
    0

    Hi Sabrina,

    We already tried all of the steps in that article.  Also, you mention that this is a domain problem, but this issue only occurs on Windows 7 machines.  None of our XP,Server 2003, or Server 2008 member servers have this issue.  Please provide other suggestions.

    Thanks.