none
Help figuring out what's locking a domain account

    Question

  • Hello,

    I need some help figuring out why an account is locked out on a daily basis. It is done on a SQL server and apparently by the SSRS.

    Here's the event:

    An account failed to log on.

    Subject:
    Security ID: S-1-5-80-1343824832-3923883481-2178675695-19353822-2341032094
    Account Name: ReportServer$XXXXX
    Account Domain: NT Service
    Logon ID: 0x3419C

    Logon Type: 2

    Account For Which Logon Failed:
    Security ID: S-1-0-0
    Account Name: xxxxx
    Account Domain: xxx

    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xC000006D
    Sub Status: 0xC000006A

    Process Information:
    Caller Process ID: 0xafc
    Caller Process Name: E:\Microsoft SQL Server\MSRS11.XXXXX\Reporting Services\ReportServer\bin\ReportingServicesService.exe

    Network Information:
    Workstation Name: LONSQL1
    Source Network Address: -
    Source Port: -

    Detailed Authentication Information:
    Logon Process: Advapi  
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    So it looks like the SQL Server Reporting Services is trying to use the referenced domain account for something. However I am unable to find any tasks that might be using those credentials. 

    Is there a good way to figure out what is calling out for this process to run?

    Thank You,

    Wojciech

    Wednesday, January 4, 2017 9:21 AM

Answers

  • Hi Martin,

    The culprit was an old subscription running on the SQL Server. It was using old credentials and thus locking the account.

    Kind regards,

    Wojciech

    • Marked as answer by rozanw Thursday, January 5, 2017 10:26 AM
    Thursday, January 5, 2017 10:26 AM

All replies

  • Hi
      These are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    and you can check the source with Account Lock tool (for server 2003); https://www.microsoft.com/en-us/download/details.aspx?id=15201
     New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for; https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/
    also you can check with these 3rd paty tools; lepide,netwrix....

    and you can configure advanced audit policy to find the source;

    https://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    https://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Todd Heron Wednesday, January 4, 2017 9:50 AM
    Wednesday, January 4, 2017 9:34 AM
  • Hello Burak,

    I'm not sure how this is supposed to help me. I know where the lockout occurs (SQL Server), I know what's causing the lockout (ReportingServicesService.exe). 

    I guess what I really need to figure out is why th SSRS Service is trying to interactively log on a domain account. 

    Maybe I should post this in the SQL Server forums instead?

    Thank You,

    Wojciech

    Wednesday, January 4, 2017 10:07 AM
  • Seems like, Burak has provided few nice references to work around your situation.

    However, you can also take a look at below article which summarize the common root cause of account lockout and how to resolve them - https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/

    Wednesday, January 4, 2017 10:19 AM
  • > /Caller Process ID://0xafc/
    > /Caller Process Name://E:\Microsoft SQL Server\MSRS11.XXXXX\Reporting Services\ReportServer\bin\ReportingServicesService.exe/
     
    We have a process name, we have a process ID. Is this process ID still running? If not: Grab Process Monitor, set a filter for the process name and wait :-)
     
    Wednesday, January 4, 2017 11:05 AM
  • Hi Martin,

    Yes, the process is still running. I'm not an SQL Server expert, but isn't this normal for this process to be constantly on?

    Anyway, I've just had another event logged, at the exact same time of the day. It does look like whatever SSRS is trying to do, it does that in a scheduled manner. Though I've checked the Task Scheduler and there are no tasks there that would be using this Service. 

    I've restarted the service and I'll later check if it did anything. 

    Thank You,

    Wojciech

    Wednesday, January 4, 2017 11:31 AM
  • Ok, restarting the service did not do anything. The account still gets locked. 

    I re-created this thread on the SQL Server forums since it does seem to have a lot to do strictly with SSRS. 

    Thank You,

    Wojciech

    • Edited by rozanw Wednesday, January 4, 2017 1:14 PM
    Wednesday, January 4, 2017 11:54 AM
  • > Yes, the process is still running. I'm not an SQL Server expert, but isn't this normal for this process to be constantly on?
     
    Depends on the process :-) If it is a service with trigger "demand", it might be there then stop again.
     
    I'd rather suggest to move to the SQL forum with your question - this is not AD related :)
     
    Wednesday, January 4, 2017 2:42 PM
  • Hi Martin,

    The culprit was an old subscription running on the SQL Server. It was using old credentials and thus locking the account.

    Kind regards,

    Wojciech

    • Marked as answer by rozanw Thursday, January 5, 2017 10:26 AM
    Thursday, January 5, 2017 10:26 AM
  • Can you help me track down how you found this? I am on the domain side, not SQL. If you can help point me in the right direction, it would be much appreciated.
    Friday, July 7, 2017 4:46 PM
  • Thank you, Wojciech. We also had SSRS subscriptions using expired credentials, which kept locking the account.
    Tuesday, April 3, 2018 3:05 PM