none
Frequent bad password attempts/lockouts - can't find source

    שאלה

  • We have several users who are showing bad password attempts on our DCs, and thus, frequent lockouts also. I've used the resources here to track down similar issues, but this one is giving me fits

    We're seeing 4771 Kerberos pre-authentication failed messages like the one below:

    Kerberos pre-authentication failed.
    
    Account Information:
    	Security ID:		*OURDOMAIN\OURUSER*
    	Account Name:		*USER*
    
    Service Information:
    	Service Name:		krbtgt/*OURDOMAIN*
    
    Network Information:
    	Client Address:		::ffff:*XX.XX.XX.XX*
    	Client Port:		16377
    
    Additional Information:
    	Ticket Options:		0x40810010
    	Failure Code:		0x18
    	Pre-Authentication Type:	2
    
    Certificate Information:
    	Certificate Issuer Name:		
    	Certificate Serial Number: 	
    	Certificate Thumbprint:		

    In the past, I've frequently seen the Client Address be the address of our users' workstations. However, in these events, the address is that of one of our Exchange servers.

    If I look at the corresponding event on the Exchange server, I see this:

    An account failed to log on.
    
    Subject:
    	Security ID:		NETWORK SERVICE
    	Account Name:		**OUREXCHANGESERVER$**
    	Account Domain:		**OURDOMAIN**
    	Logon ID:		0x3e4
    
    Logon Type:			8
    
    Account For Which Logon Failed:
    	Security ID:		NULL SID
    	Account Name:		**user@ourcompany.com**
    	Account Domain:		
    
    Failure Information:
    	Failure Reason:		Unknown user name or bad password.
    	Status:			0xc000006d
    	Sub Status:		0xc000006a
    
    Process Information:
    	Caller Process ID:	0xba4
    	Caller Process Name:	C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe
    
    Network Information:
    	Workstation Name:	**OUREXCHANGESERVER**
    	Source Network Address:	-
    	Source Port:		-
    
    Detailed Authentication Information:
    	Logon Process:		Advapi  
    	Authentication Package:	Negotiate
    	Transited Services:	-
    	Package Name (NTLM only):	-
    	Key Length:		0
    

    I haven't found anything in the IMAP, POP, or SMTP logs to match up with these events. I've done packet capturing on the DC and the Exchange server to try to find any helpful info, but nothing.

    Any thoughts? Thanks so much!

    -bob

    יום שני 04 יוני 2018 18:37

כל התגובות