locked
Kerberos pre-authentication failed RRS feed

  • Question

  • Hi,

    I have a customer has the below issue:

    After he changed their administrator account password on domain, event ID 4771 is continuously thrown in the security log in DCs. Below is a snapshot:

    Also the below email alert from ADManager:

                        
       

    Alert     Message:

       
       

    Login failure for User 'Administrator' in server.domain.local'.     Reason: 'Bad password'.

       
       

    Severity:

       
       

    Attention

       

    Event Details

     

    Domain

      krbtgt/domain.LOCAL

    Event Code

      16

    SID

      %{S-1-5-21-428199501-1217283236-4064894256-500}

    Client Host Name

      Server.domain.local

    Event Type

      Failure

    Remarks

      Kerberos pre-authentication failed.

    Logon Service

      krbtgt/ domain.LOCAL

    Domain Controller

      DC.domain.local

    User Name

      Administrator

    Client IP Address

      IP

    Failure Code

      0x18

    Logon Time

      Apr 09,2015 11:42 AM

    Failure Reason

      Bad password

    Record number

      2197037173

    Event Number

      4771

    They already changed the password for service accounts running using that admin account with new password. There is no issues in domain other than this, users can login and services are fine. However, account lockout policy is disabled and if it is enabled I think they will have a huge issue due to this Kerberos authentication failure.

    Please help!

    • Edited by AhmadJY Thursday, April 9, 2015 12:39 PM
    Thursday, April 9, 2015 12:37 PM

Answers

All replies

  • Hi your question is bit confused. But if you say you try changing the password for service account using your administrator password.

    Please see right click on service account go to accounts tab  and see password never expired and user cannot change password option is check. also from your event id pasted above shows failure code as 0X18 which means bad password. Try and check above option and revert back.

    Thursday, April 9, 2015 12:54 PM
  • Hi, password is already set never to expire in AD.

    Also it is not only for administrator password, I can see in security log also:

    security id: domain\computeraccount$

    Account Name: computeraccount

    Thursday, April 9, 2015 1:40 PM
  • Hi,

    can you tell me since how long are you getting this events. Also how many DC's you have in your environment.

    Thursday, April 9, 2015 1:47 PM
  • The 2 events you posted have different error codes.

    Check the time of the computer failing pre-auth with the time on the DC holding PDC role



    • Edited by aperelli Thursday, April 9, 2015 2:23 PM
    Thursday, April 9, 2015 1:52 PM
  • since yesterday (the time of changing admin password). There is 6 DCs
    Thursday, April 9, 2015 1:59 PM
  • The time is synced between all servers and DCs.

    For clients, most of clients are synced with DC. I will check the time of the computer failing pre-auth with the time on the DC holding PDC role and revert back but most likely they are synced.

    Thursday, April 9, 2015 2:00 PM
  • I'm saying this because 0x25 means Clock skew too great

    REF: https://www.ietf.org/rfc/rfc4120.txt


    • Edited by aperelli Thursday, April 9, 2015 2:08 PM
    Thursday, April 9, 2015 2:08 PM
  • I will check time on that client machine but what about error code 0x18?
    Thursday, April 9, 2015 2:17 PM
  • Hi,

    That can be investigate once time synch issue is confirm?

    Thursday, April 9, 2015 2:20 PM
  • KDC_ERR_PREAUTH_FAILED                24  Pre-authentication information was invalid

    Could be "bad password" but also a bad timestamp which is included in the pre-authentication


    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Thursday, April 9, 2015 2:22 PM
  • What if you switch off the source computer that is reported in the event? If the event disappears then something should be running on this computer with the old credentials and you need to identify what it is: It could be a service, scheduled task, application ...

    For time sync, I would recommend to refer to what I shared here for the configuration: http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Thursday, April 9, 2015 9:32 PM
  • I will try that but why these logs are getting logged after changing administrator password? Before that there were no logs related. Also source computer that is reported in the event is not limited to clients machines, but also domain controllers?

    Saturday, April 11, 2015 7:27 AM
  • Hi,

    Did you confirm the time sync issue?

    The error code 0x25, means Workstation’s clock too far out of sync with the DC’s , so i suggest you could check the time snyc of the computer failing pre-auth with DC firstly.

    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771

    Similar threads has been discussed:

    https://social.technet.microsoft.com/forums/windowsserver/en-US/245aa714-8f2f-4ea7-b2a1-dd447c02fa93/accounts-lockedout

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    • Proposed as answer by Vivian_Wang Wednesday, April 22, 2015 6:23 AM
    • Marked as answer by Vivian_Wang Monday, April 27, 2015 4:50 AM
    Friday, April 17, 2015 3:10 AM
  • Hi,

    Any update about the issue?

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, April 22, 2015 6:23 AM