none
Kerberos pre-authentication failed.

    Question

  • Hi, I have been getting a lot of these errors on users this past 2 weeks.. Some gets it daily and some only have it once. 

    I'm I cant really figure out where to begin or how to find out why they have started to get locked in the AD. 

    WHAT I KNOW SO FAR:

    I have found out that the error means "bad password" but, there is also a source IP in the event log message from where the "bad password" request have been received. When I trace that IP it points to my DC2, and then I don't know what to do from here. 

    EVENT LOG ERROR MESSAGE:

    Kerberos pre-authentication failed.

    Account Information:
            Security ID:            mydomain\myuser
            Account Name:           myuser

    Service Information:
            Service Name:           krbtgt/mydomain

    Network Information:
            Client Address:        DC2
            Client Port:            56841

    Additional Information:
            Ticket Options:         0x40810010
            Failure Code:           0x18
            Pre-Authentication Type:        2

    Certificate Information:
            Certificate Issuer Name:                
            Certificate Serial Number:      
            Certificate Thumbprint:         

    Certificate information is only provided if a certificate was used for pre-authentication.

    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

    Can you please help me figure out why the user got locked, multiply times over days.

    The only thing the user did, was leaving the PC, and when the user came back it was locked in AD.

    Wednesday, April 12, 2017 2:15 PM

Answers

  • Hi,
    As far as I know, the older/incorrect/bad password could be saved in some program, script or service which regularly tries to authorize in the domain using the previous password. The most relevant cases include:
    Mapping a network drive via net use (Map Drive)
    In the tasks of Windows Task Scheduler
    In Windows services run from the domain account
    Data saved in the Credential Manager in the Control Panel
    Browsers
    Mobile devices (e. g., those used to access the corporate mail service)
    And you could have a try Account Lockout and Management Tools to troubleshoot the problem: https://www.microsoft.com/en-us/download/details.aspx?id=18465
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Proposed as answer by Wendy JiangModerator Tuesday, April 18, 2017 3:17 PM
    • Marked as answer by QITZZY Wednesday, April 19, 2017 10:43 AM
    Friday, April 14, 2017 5:43 AM
    Moderator

All replies

  • There will be the exact same event in another DC. when a user gets wrong password, the event gets updated in both the PDC and the domain controller doing the authentication.

    So examine the exact same event from the actual domain controller doing the authentication which would give you the IP address of the client doing the wrong password.

    • Proposed as answer by Todd Heron Thursday, April 13, 2017 12:32 AM
    Wednesday, April 12, 2017 9:16 PM
  • Hi,
    As far as I know, the older/incorrect/bad password could be saved in some program, script or service which regularly tries to authorize in the domain using the previous password. The most relevant cases include:
    Mapping a network drive via net use (Map Drive)
    In the tasks of Windows Task Scheduler
    In Windows services run from the domain account
    Data saved in the Credential Manager in the Control Panel
    Browsers
    Mobile devices (e. g., those used to access the corporate mail service)
    And you could have a try Account Lockout and Management Tools to troubleshoot the problem: https://www.microsoft.com/en-us/download/details.aspx?id=18465
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Proposed as answer by Wendy JiangModerator Tuesday, April 18, 2017 3:17 PM
    • Marked as answer by QITZZY Wednesday, April 19, 2017 10:43 AM
    Friday, April 14, 2017 5:43 AM
    Moderator
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, April 18, 2017 3:18 PM
    Moderator