none
Too many login failure events

    Question

  • Hello Experts,

    The following event details are extracted from SIEM tool:-

    Event Description: - Observed hundred of login failure events generated from domain controller for multiple source to multiple destination.

    Ask:- What is causing this issue? & How to stop it?

                   

    No. of events are in 2.5 minutes is around 7500

    Name:-The domain controller attempted to validate the credentials for an account.

    EventID:- Microsoft-Windows-Security-Auditing:4776

    Message:-The specified user does not exist.

    Reason:-User name does not exist

    categoryOutcome:-  /Failure

    destinationUserName:-  abcd (used for data replication)

    sourceHostName:- Multiple host(all internal)

    OSversion:- Windows Server 2008 R2

    destinationHostName:-Multiple host(all internal)

    status code:- 0xc0000064, 0x0, 0xc0000071, 0xc0000234, 0xc000006a

    deviceHostName:- DomainController

    package Name:- MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

    Request your valuable inputs.

    Regards,

    Sandeep

    Monday, May 14, 2018 6:29 PM

All replies

  • Hi
      These are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    and you can check the source with Account Lock tool (for server 2003); https://www.microsoft.com/en-us/download/details.aspx?id=15201
     New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for; https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/
    also you can check with these 3rd paty tools; lepide,netwrix....

    and you can configure advanced audit policy to find the source;

    https://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    https://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, May 15, 2018 1:06 PM
  • Hi Burak,

    Appreciate your help.

    Regards

    Sandeepa

    Friday, May 18, 2018 7:14 AM