none
Repeated prompts to provide current credentials

    Question

  • Hi all,

    This follows on from a thread in the Windows Insider tech preview forums for Windows 10 (now closed as Windows 10 has gone live).

    On preview builds 10162 and 10166, I started to experience repeated domain account lockouts on my main domain user account.  Tracking the lockouts in AD showed them to have originated from my device (not a phone or anything else).  I rebuilt the laptop from scratch with an ISO extracted from the 10166 ESD, and whilst the situation improved in terms of the frequency of the event, it hasn't gone away entirely, and it has in fact changed to some degree.

    Two things happen primarily now - I start getting prompted by the Internet Explorer/Edge browser for authentication details for internal websites - entering my correct username and password grants me access to the resource.  I also seem to be getting regular prompts that "Windows needs your current credentials...".  I generally ignore the prompt and things seem to sort themselves out, but occasionally I do end up with my network account locked out entirely (for 30 minutes, as we unlock accounts after 30 minutes), but then I've had the account locked out repeated times within a 5 minute window.

    It's incredibly frustrating - I can have it happen with no apps open at all, and can actually trigger it sometimes just by trying to browse to a network file share.

    I've checked that my account is not set to use DES Kerberos authentication, as has been the solution in some of the examples I found online of similar issues with previous versions of Windows.

    Thanks!

    Robert


    MCP (Windows 2003, Windows XP)

    Thursday, July 30, 2015 2:40 AM

All replies

  • Further to this - I've just tried to open our Intranet, and had IE prompt me for authentication.  I locked the workstation, unlocked it, and IE then opened our Intranet site without prompting.  It's almost as if Windows is somehow forgetting my authentication details, or the kerberos ticket I'm being given to access systems is expiring (and the lockouts occur after an expired ticket is used too often?).

    MCP (Windows 2003, Windows XP)

    Thursday, July 30, 2015 3:16 AM
  • Hi Robert,

    The Windows 10 has been released officially.

    Have you tried to upgrade the machine with the official released version and check the issue?

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, July 31, 2015 3:07 AM
    Moderator
  • Hi Robert,

    The Windows 10 has been released officially.

    Have you tried to upgrade the machine with the official released version and check the issue?

    I've just tried to run Windows Update and it's failing for some reason.  I'll try again over the weekend.

    As I understand it though, the last version I got as part of the preview program was the final release code.

    PS I also got locked out again...

    Friday, July 31, 2015 3:10 AM
  • I'm also seeing the same behavior.  I upgraded Windows 7 using the official released version (from DVD) downloaded from MSDN.
    Friday, July 31, 2015 3:10 PM
  • Hi Robert,

    Please check the following configurations for Internet Explorer:

    Tools\Internet Options\Security\Local Intranet\Custom Level\User Authentication\Automatic Logon only in Intranet Zone

    For the Micorosoft Edge:
    Tools\Settings\Advanced Settings\Offer to save passwords

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, August 05, 2015 2:20 AM
    Moderator
  • Hi,

    I'm also suffering from this irrational account lock-out behavior, no upgrade - a full re-install from scratch using GA media downloaded from MSDN. My domain account gets locked out every now and then - it can be days without lockouts but when it starts to happen, it can occur every 30secs or so.

    Happens to my two other colleagues too, but not for one who did not upgrade his Windows 8.1. So clearly something Windows 10 related but cannot point what causes this.

    The IE setting is "Automatic logon only in Intranet Zone", have tried to find issues from netlogon.log (enabled the debug logon mode) but cannot find anything that would directly point out the problem.

    Any advice is credited, this is a very annoying problem.

    Monday, August 10, 2015 7:41 AM
  • You can set "Do not require Kerberos preauth" for user account in Account tab of user properties in Active Directory Users and Computers snap-in. After i set this settings there are no credentials promts.

    I think this is bug in working with domain controllers from win10.

    Monday, August 10, 2015 7:50 AM
  • I am having the same problem with Windows 10 Enterprise.  This was a new install from ISO media from the Volume License Service Center that I downloaded last week.

    My version is 10240.  I'm aware that we can turn of Kerberos preauthentication, but as that isn't the default I would prefer to avoid doing that.

    Monday, August 10, 2015 7:44 PM
  • Turning off Kerberos preauthentication stopped the domain lockout for me, but the locally cached credential still gets corrupted after I lock/unlock the PC a few times. It will then start prompting me for credentials every time I  try to do something that requires authentication. Logging off/on again will reset the local cached credentials, until I lock/unlock a few times again.
    Thursday, August 13, 2015 4:33 PM
  • I'm just posting to link a thread getting a lot of replies at answers.microsoft.com about this issue.  Still no solution or any kind of acknowledgement or official mitigation technique from Microsoft.
    Thursday, August 13, 2015 7:56 PM
  • Hi Robert,

    Are you the administrator of the domain? What is the error code?
    The following link may be useful to help us to narrow down the issue.
    4771: Kerberos pre-authentication failed
    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771

    We could try to re-add the Windows 10 machine to the AD to have a check.

    NOTE: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Friday, August 14, 2015 5:39 AM
    Moderator
  • Hi,

    Yep, I'm a Domain Admin.

    I've just unselected the "Do not require Kerberos preauthentication" flag on my regular user account, I'll play around until it manages to lock me out, and will then find the specific entry in the security logs on our domain controller.

    I can confirm that the cached credentials have been cleared repeatedly, and the machine was removed and added back to the domain as well.  I'm happy enough to wipe and start again, with the domain account not existing at all (or even using a different PC name) if that helps.

    Regards,

    Robert


    MCP (Windows 2003, Windows XP)

    Friday, August 14, 2015 5:59 AM
  • The "Do not require Kerberos preauthentication" thing stops the domain account being locked out - but it does not stop Windows 10 from somehow forgetting my credentials.

    Instead of being locked out of the domain now, I'm now simply prompted for authentication after my system has been running for a while and I try to access things like internal websites that require pass-through authentication, or the vSphere client running with "Use Windows session credentials" selected.  When I manually enter my details, authentication is fine - but I shouldn't have to do this...


    MCP (Windows 2003, Windows XP)

    Thursday, August 20, 2015 7:58 AM
  • Chiming in -- I have exactly the same problem.  Windows 10 since the 1016x builds has been locking my user account out in our domain repeatedly.  The behavior is almost exactly as mentioned above -- I can go several days without a lockout, but when it locks out, it occurs almost immediately after I have unlocked my workstation and received the "Windows needs your current credentials" prompt.  Lockout examination tools show the 10 bad password attempts all made within the same second.

    That said, I do not seem to be experiencing the issue where Windows ditches the currently cached credentials -- though I will be repeatedly prompted for credentials once the account actually locks out, otherwise I am not prompted while accessing internal Sharepoint resources or otherwise.

    After enabling netlogon debugging and using the account lockout tools (and then Netwrix Account Lockout Examiner), the best I could find was SVCHOST.exe (LocalSystemNetworkRestricted) was the process locking the account out -- which wasn't really helpful in determining the cause.

    I've also validated that DES Kerberos authentication is not required on my user account (and had not been previously), and immediately prior to posting this have enabled "Do not require Kerberos preauthentication" setting on my account to validate whether this at least stops the account lockout issue.

    Would love to find a legitimate solution to this -- we have about 15-20 people using Windows 10 and I seem to be the only user account impacted by this.

    Windows 10 Enterprise x64 w/ all patches, Activated w/ MAK, Build 10240, running on Surface Pro 3.

    EDIT:  After some more digging, I do uncover Event ID 4771 on my DC at the time that my machine attempts to authenticate unsuccessfully, and the return info as as follows:

        Ticket Options:        0x40810010
        Failure Code:        0x18
        Pre-Authentication Type:    2

    The failure code indicates that the pre-authentication information was invalid.  Additionally, the DC shows a bad password count of the exact number of times this error occurred in the log (in this instance, it was 7 times in less than a second).  All 7 of the events share the same ticket options, failure code, and pre-authentication type.

    In troubleshooting, I tried removing myself from the domain and then re-joining, which did not impact the issue.  Additionally, I completely re-imaged back to Windows 8.1 and did another upgrade directly to Enterprise 10 build 10240, so that there were no tech preview builds in between.  No change, same issue occurred.

    EDIT #2:  It appears that this has worked around the issue as previously detailed by Robert.  Disabling the requirement for Kerberos preauthentication has stopped my user account from being locked, and has stopped Windows from generating the "Windows needs your current credentials" pop-up, and now Outlook/Lync/IE will prompt me for credentials once I have locked/unlocked the workstation a few times.  So, better -- but still not great. 
    • Edited by Thomas Jefferies Monday, August 24, 2015 7:29 PM Additional info, outcome info.
    Monday, August 24, 2015 3:40 PM
  • Having the same problem with my account, but it's happened across two separate installs.  First was 8.1 to insider previews (back in March) to RTM, and the second was a clean install last week.  MSA is linked for store/onedrive, and I have a fingerprint scanner set up, but it seems to be locking out inconsistently.  If I respond to the popup right away, I can avoid the lockout.  Looking forward to finding a permanent solution to this.
    Wednesday, August 26, 2015 12:10 PM
  • Did you ever solve this issue for your Windows 10 users?  I have the same exact issue.  Disabling Pre-auth for Kerberos temporarily resolved the issue, but it seems to come back for some users.

    Wednesday, October 25, 2017 3:41 PM
  • You may also want to clear the stored credentials.  Sometimes the stored credentials do not match the current credentials which locks the account.  See explanation here: https://youtu.be/kjRx1U8l7sU

    Tuesday, December 05, 2017 5:35 PM