none
Account Lockout - detect the source

    Question

  • Hi folks,

    i have been trying to troubleshoot an account lockout issue over a week now however i am not able to determine the source.

    i have netlogon, kerbores and auditing enabled. Based on the logs the bad passwords are coming from user pc. It's a single forest/domain environment. I have checked all the obvious locations but no success so far.

    network drives

    schedule tasks

    saved credentials

    browser-saved passwords

    reset the password

    new-windows profile etc.

    I don't see any chap authentication on wireless devices either.

    Any idea what else can be done here....

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          20/03/2017 2:12:37 PM
    Event ID:      4771
    Task Category: Kerberos Authentication Service
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      server.domain.com
    Description:
    Kerberos pre-authentication failed.
    
    Account Information:
    	Security ID:		domain\usera
    	Account Name:		usera
    
    Service Information:
    	Service Name:		krbtgt/domain.com
    
    Network Information:
    	Client Address:		::ffff:192.168.60.101
    	Client Port:		57471
    
    Additional Information:
    	Ticket Options:		0x40810010
    	Failure Code:		0x18
    	Pre-Authentication Type:	2
    
    Certificate Information:
    	Certificate Issuer Name:		
    	Certificate Serial Number: 	
    	Certificate Thumbprint:		
    
    Certificate information is only provided if a certificate was used for pre-authentication.
    
    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
    
    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
    
    Log Name:      System
    Source:        Microsoft-Windows-Security-Kerberos
    Date:          20/03/2017 2:12:45 PM
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      server.domain.com
    Description:
    A Kerberos error message was received:
     on logon session domain.com\server$
     Client Time: 
     Server Time: 3:12:45.0000 3/20/2017 Z
     Error Code: 0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN
     Extended Error: 
     Client Realm: 
     Client Name: 
     Server Realm: domain.com
     Server Name: krbtgt/domain.com
     Target Name: krbtgt/domain.com@domain.com
     Error Text: 
     File: e
     Line: d3f
     Error Data is in record data.
    
    ********************Client-PC Logs******************************
     Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          20/03/2017 10:48:36 AM
    Event ID:      4625
    Task Category: Account Lockout
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      pc.domain.com
    Description:
    An account failed to log on.
    
    Subject:
    	Security ID:		SYSTEM
    	Account Name:		pc$
    	Account Domain:		domain
    	Logon ID:		0x3E7
    
    Logon Type:			2
    
    Account For Which Logon Failed:
    	Security ID:		NULL SID
    	Account Name:		usera
    	Account Domain:		domain
    
    Failure Information:
    	Failure Reason:		Account locked out.
    	Status:			0xC0000234
    	Sub Status:		0x0
    
    Process Information:
    	Caller Process ID:	0x5a8
    	Caller Process Name:	C:\Windows\System32\svchost.exe
    
    Network Information:
    	Workstation Name:	pc
    	Source Network Address:	127.0.0.1
    	Source Port:		0
    
    Detailed Authentication Information:
    	Logon Process:		User32 
    	Authentication Package:	Negotiate
    	Transited Services:	-
    	Package Name (NTLM only):	-
    	Key Length:		0
    
    This event is generated when a logon request fails. It is generated on the computer where access was attempted.
    
    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
    
    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
    
    The Process Information fields indicate which account and process on the system requested the logon.
    
    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
    
    The authentication information fields provide detailed information about this specific logon request.
    	- Transited services indicate which intermediate services have participated in this logon request.
    	- Package name indicates which sub-protocol was used among the NTLM protocols.
    	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    
    	Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          20/03/2017 9:07:20 AM
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      pc.domain.com
    Description:
    An account failed to log on.
    
    Subject:
    	Security ID:		SYSTEM
    	Account Name:		pc$
    	Account Domain:		domain
    	Logon ID:		0x3E7
    
    Logon Type:			2
    
    Account For Which Logon Failed:
    	Security ID:		NULL SID
    	Account Name:		usera
    	Account Domain:		domain
    
    Failure Information:
    	Failure Reason:		Unknown user name or bad password.
    	Status:			0xC000006D
    	Sub Status:		0xC000006A
    
    Process Information:
    	Caller Process ID:	0x5a8  - Process PID 1448
    	Caller Process Name:	C:\Windows\System32\svchost.exe
    
    Network Information:
    	Workstation Name:	pc
    	Source Network Address:	127.0.0.1
    	Source Port:		0
    
    Detailed Authentication Information:
    	Logon Process:		User32 
    	Authentication Package:	Negotiate
    	Transited Services:	-
    	Package Name (NTLM only):	-
    	Key Length:		0
    
    This event is generated when a logon request fails. It is generated on the computer where access was attempted.
    
    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
    
    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
    
    The Process Information fields indicate which account and process on the system requested the logon.
    
    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
    
    The authentication information fields provide detailed information about this specific logon request.
    	- Transited services indicate which intermediate services have participated in this logon request.
    	- Package name indicates which sub-protocol was used among the NTLM protocols.
    	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    
    	
    C:\>tasklist /s "pc" /svc /fi "pid eq 1448"
    
    Image Name                     PID Services
    ========================= ======== ============================================
    svchost.exe                   1448 Appinfo, Browser, CertPropSvc, DoSvc,
                                       IKEEXT, iphlpsvc, LanmanServer, lfsvc,
                                       NetSetupSvc, ProfSvc, Schedule, SENS,
                                       SessionEnv, ShellHWDetection, Themes,
                                       UserManager, Winmgmt, WpnService, wuauserv



    Regards, Navdeep


    • Edited by singh83 Monday, March 20, 2017 4:01 AM
    Monday, March 20, 2017 3:59 AM

All replies

  • Hi,

    To troubleshooting the source of account lockout, you could enable audit policies in group policy, and use Account Lockout status tool.

    For detailed information, please refer to the article below.

    Troubleshooting Active Directory Account Lockout

    https://blog.krissmilne.tech/active-directory/troubleshooting-account-lockout

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, March 20, 2017 5:44 AM
    Moderator
  • Hey Jay,

    I have tried the account lockout status tool however it doesn't tell what is causing the lockout, just the origin server and bad password count. As mentioned, i have audit policy enabled.


    Regards, Navdeep

    Monday, March 20, 2017 6:10 AM
  • Hi

    These are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    also as you said you have an audit policy but can't find the source.Just check this advanced audit policy config and compare with your config steps;

    https://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Otherwise you should check with 3rd party tools; lepide,netwrix....


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, March 20, 2017 6:56 AM
  • I have already checked all those areas you mentioned. That advance audit policy is for file/folder access.

    Not able to determine what is causing the lockouts.


    Regards, Navdeep

    Monday, March 20, 2017 7:06 AM
  • I have checked that article, it's helping you to identify the source system from where lockout is coming, i have already identified that. The challenge is to figure out what on that system is causing the lockout. I have already looked into the obvious locations

    Regards, Navdeep

    Monday, March 20, 2017 8:50 AM
  • I would refer you on this article https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/ which covers few common root cause of account lockouts and how you can resolve them.
    Monday, March 20, 2017 9:15 AM
  • i have checked most of those areas. I am not sure what would be covered under this

    Applications using old credentials:

    we have already created a new clean windows profile to isolate any app/cached credential issues


    Regards, Navdeep

    Monday, March 20, 2017 9:41 AM
  • any silver bullets, this wolf is still alive....

    Regards, Navdeep

    Tuesday, March 21, 2017 1:42 AM
  • Have you tried disjoining the pc from the domain, delete it's object in ADUC, and then rejoining? From the error messages you posted, it looks like it could be a domain trust issue with the PC itself.
    Thursday, March 23, 2017 6:19 PM
  • I can give it a shot and update you. btw, do you know if network trace would help isolating issue. i can take a trace but i no idea what to look for in it.

    Regards, Navdeep

    Friday, March 24, 2017 1:50 AM
  • is the client address show below as the source of lockout the actual IP address of the client doing the lockout. I ask because i do not often see 192.168 in the source. 
    192.168.60.101 
    Friday, March 24, 2017 4:40 AM
  • You can trouble shoot this with hte help of "EventcombMT" tool. Here is some tips:

    https://social.technet.microsoft.com/wiki/contents/articles/4585.account-locked-out-troubleshooting-eventcombmt.aspx

    • Edited by Sajoor Friday, March 24, 2017 6:47 AM edit
    Friday, March 24, 2017 6:45 AM
  • yeah, that's the client ip. I see in kerberos pre authentication failure

    Network Information:
    	Client Address:		::ffff:192.168.60.101
    	Client Port:		57471
    


    Regards, Navdeep


    • Edited by singh83 Monday, March 27, 2017 3:14 AM
    Monday, March 27, 2017 3:13 AM
  • thats all the domain controller can tell you. You need to use procmon and other tools to detect which is the application sending wrong credentials from that moment on.

    I would check mapped drives, task scheduler, multiple RDP sessions in disconnected state etc to see if something is sending the lockout from the client.

    Tuesday, March 28, 2017 2:30 AM
  • yeah i have tried all those stuff except procmon and netmon/message analyser but i don't have any real life use case/reference. for instance, in this case the audit log shows the lockout is coming from svchost.exe process however there are 10 different services running under the main process.

    anyways, we have decided to nuke this pc and rebuild it. we will delete the account and re provision it as well.


    Regards, Navdeep

    Tuesday, March 28, 2017 3:03 AM