Can't unlock locked screen RRS feed

  • Question

  • Hello,

    I work in an environment where there is a federal W2K3 domain which contains all of our organisation's 16,000 user accounts and I then have a W2K8r2 child domain of the above forest which contains all of my department's workstations. Of the workstations there are about 450 XP machines and 50 Windows 7 machines. The Windows 7 workstations all have a group policy setting "Assign a default domain for logon" and this is set to be the short name of the W2K3 domain. I also have a group policy which targets Windows 7 machines in the W2K8r2 domain and it "Configure encryption types allowed for Kerberos" to only use DES_CBC_CRC, DES_CBC_MD5 and RC4_HMAC_MD5 - this was done because the domain admin of the federal W2K3 domain was receiving a lot of Kerberos errors.

    The problem I have is with the Windows 7 machines. This is an intermittant problem that I have been having for the past 6 months or so and it has taken me this long to narrow down what is causing it. The scenario is as follows:

    A user is logged into the Windows 7 machine using their federal ID in the form <short domain name>\<username> and the screen is locked - the screen would have been locked either by the "On Resume, display logon screen" setting in the screensaver tab (the selected screensaver doesn't seem to matter) or by switching user. I have not seen the fault if the user locks the screen using ctrl-alt-del, "Lock this computer". 

    The problem occurs occasionally when the user tries to unlock the screen either by being sat at the console, or by using a remote desktop connection. Depending on the situation that the user is trying to unlock from (console / RDC) they may have to click on the icon of the logged on user and enter their password or they may have to type their username and password. The user then receives an error saying their password is incorrect, and then, depending on the way they are trying to connect and the number of other logged in users etc, the screen shows that the current user is <Fully qualified W2K3 domain name>\<Username> and the user is prompted for their password again.

    At this point the machine is in a state where nobody (pre-logged in or new user) using a W2K3 domain username and password can log into the machine - the only thing we have found we can do is to login with a local account and reboot the machine.

    Once the machine reboots the following events can be seen in the local security log:

    Microsoft Windows Security Auditing EventID 4800

    The workstation was locked.

     Security ID:  CLRC\mw76
     Account Name:  mw76
     Account Domain:  CLRC
     Logon ID:  0x8f8cf
     Session ID: 1

    and then when the user is trying to unlock the screen:

    Microsoft Windows Security Auditing EventID 4625

    An account failed to log on.

     Security ID:  SYSTEM
     Account Name:  TE2CORSAIR$
     Account Domain:  RES01
     Logon ID:  0x3e7

    Logon Type:   7

    Account For Which Logon Failed:
     Security ID:  NULL SID
     Account Name:  mw76
     Account Domain:  CLRC

    Failure Information:
     Failure Reason:  Unknown user name or bad password.
     Status:   0xc000006d
     Sub Status:  0xc000006a

    Process Information:
     Caller Process ID: 0x1e8
     Caller Process Name: C:\Windows\System32\winlogon.exe

    Network Information:
     Workstation Name: TE2CORSAIR
     Source Network Address:
     Source Port:  0

    Detailed Authentication Information:
     Logon Process:  User32
     Authentication Package: Negotiate
     Transited Services: -
     Package Name (NTLM only): -
     Key Length:  0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
     - Transited services indicate which intermediate services have participated in this logon request.
     - Package name indicates which sub-protocol was used among the NTLM protocols.
     - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    Any help would be much appreciated - I'm the first to admit that I have no idea what to do next!



    Thursday, February 18, 2010 9:57 AM

All replies

  • A quick update to give details of a specific occurrence of this that happened.....

    ·          The last action a user took on Friday evening (before going home) was to reboot their Windows 7 PC in their office.

    ·          On Saturday they created a VPN connection into our network and they used Remote Desktop Connection to log into their PC using their domain account.

    ·          When they had finished working they disconnected their Remote Desktop Connection to their PC (leaving their session running)

    ·          On Sunday they created a VPN connection to our network and tried to use Remote Desktop Connection to re-connect to their PC using their domain account, their credentials were passed through from their client to the PC and were refused

    ·          The screen then displayed the familiar unlock screen with the fully qualified domain name prefixing the users account name

    At this point all the user can do is log in with a local account and reboot the PC.

    Wednesday, February 24, 2010 10:47 AM
  • I am experiencing the exact same issue, any suggestions? 
    Tuesday, April 6, 2010 3:18 AM
  • Hi !

    Same troubles :

    - W2K3 Domain Controler
    - Few Seven clients with "Configure encryption types allowed for Kerberos" to only use DES_CBC_CRC, DES_CBC_MD5 (required for a web application using SPNEGO (http://spnego.sourceforge.net/) Kerberos Implementation as SSO...)

    Users some times can't log on their machine... If locked down, the user needs to "unplugged" his network cable to be able tu unlock......

    Help !!!!!!!

    Thursday, June 17, 2010 3:19 PM
  • Hi,

    i'm facing the same exact problem.  Can't log back in to Win7 after the desktop is locked.  Getting "User name or password is incorrect".   Every day and every time I have to unlock the desktop, I have to disconnect the network cable.

    If you have resolved your issue, PLEASE POST YOUR SOLUTION.

    Thank you in advance.

    Monday, January 30, 2012 9:23 PM