none
Security-kerberos Event ID 14 . credential manager causes system to login to network with invalid password and lock the account.

    Question

  • Hi ,

    I am running windows 7 professional 64 bit on a quadcore xeon machine.

    My company IT policy requires that we change our account passwords every 2 months. After the last password change , my computer is locking me out of the network by trying to login with an invalid password stored somewhere in the credential manager. I have tried clearing the credential manager many times , no use. we checked all my machines, virtual machines, network drives, printers, none of them seem to solve the problem.

    Our IT specialist has checked our machines multiple times and found nothing.

    so far we know of two machines with the same configuration causing this problem. The only way to avoid being locked out is to turn off my machine at night.  The login attempts occur at 5:00 am in the morning every day .

    The event viewer reports the following event .

    Log Name:      System
    Source:        Microsoft-Windows-Security-Kerberos
    Date:          10/22/2010 5:00:31 AM
    Event ID:      14
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      computername.network.com
    Description:
    The password stored in Credential Manager is invalid. This might be caused by the user changing the password from this computer or a different computer. To resolve this error, open Credential Manager in Control Panel, and reenter the password for the credential Email removed for privacy.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
        <EventID Qualifiers="32768">14</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2010-10-22T10:00:31.000000000Z" />
        <EventRecordID>1150222</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>System</Channel>
        <Computer>computername.network.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="Username">username@network</Data>
        <Binary>6A0000C0</Binary>
      </EventData>
    </Event>

     

    This event was soon followed by this event.

    Log Name:      System
    Source:        LsaSrv
    Date:          10/22/2010 5:00:32 AM
    Event ID:      40960
    Task Category: None
    Level:         Warning
    Keywords:      
    User:          SYSTEM
    Computer:      computername.network.com
    Description:
    The Security System detected an authentication error for the server cifs/storage.network.com. The failure code from authentication protocol Kerberos was "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
     (0xc0000234)".
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
        <EventID>40960</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2010-10-22T10:00:32.192035600Z" />
        <EventRecordID>1150223</EventRecordID>
        <Correlation />
        <Execution ProcessID="544" ThreadID="5464" />
        <Channel>System</Channel>
        <Computer>computername.network.com</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="Target">cifs/storage.network.com</Data>
        <Data Name="Protocol">Kerberos</Data>
        <Data Name="Error">"The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
     (0xc0000234)"</Data>
      </EventData>
    </Event>

     

    We are at wits end. we cannot re-image our machine, as it will take many days to get all our tools reinstalled and configured.

    We tried everything on the forums about this issue. and still nothing.This feels like a win 7 bug.

    If anyone can help up solve this issue , it will be greatly appreciated.

    Thanks

    Victor Selvaraj

    Saturday, October 23, 2010 2:59 PM

Answers

  • Microsoft Support found the problem for us.  Our domain accounts were locking when a Windows 7 computer was started.  The Windows 7 computer had a hidden old password from that domain account.

    There are passwords that can be stored in the SYSTEM context that can't be seen in the normal Credential Manager view.

    Download PsExec.exe from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it to C:\Windows\System32 .

    From a command prompt run:    psexec -i -s -d cmd.exe

    From the new DOS window run:  rundll32 keymgr.dll,KRShowKeyMgr

    Remove any items that appear in the list of Stored User Names and Passwords.  Restart the computer.

     

    Friday, January 21, 2011 9:36 PM

All replies

  • Hi,

     

    I found this sentence “The login attempts occur at 5:00 am in the morning every day.”  This is strange.

     

    Which operation would affect account at that time? How about other accounts?

     

    In addition, you could use the account lockout tools to troubleshoot this problem, please refer to:

     

    Account Lockout Tools

     

    Regards,

    Alex Zhao


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, October 28, 2010 11:08 AM
    Moderator
  • Hi Alex,

    Since last week, the lockout has been happening at random times. Its not consistent anymore.

    Another Engineer in my team is also having the same Issue . We have exhausted almost all the places we could look for possible tasks or processes. But we could find nothing.

    My computer continues to lock me out .unless I power it down every night.

    Any help with this is greatly appreciated.

    Victor

     


    Victor Selvaraj
    Thursday, October 28, 2010 3:42 PM
  • I've run into the same problem.  It tends to happen overnight if I leave my computer on but it's not consistently at the same time and will happen during the day as well.  My credential manager is completely empty, no services or tasks are running under my user id.  This all started after I changed my active directory password last month. 

    Any chance anyone has discovered a solution for this? I'm having no luck with searching.

    Friday, January 14, 2011 2:57 PM
  • Microsoft Support found the problem for us.  Our domain accounts were locking when a Windows 7 computer was started.  The Windows 7 computer had a hidden old password from that domain account.

    There are passwords that can be stored in the SYSTEM context that can't be seen in the normal Credential Manager view.

    Download PsExec.exe from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it to C:\Windows\System32 .

    From a command prompt run:    psexec -i -s -d cmd.exe

    From the new DOS window run:  rundll32 keymgr.dll,KRShowKeyMgr

    Remove any items that appear in the list of Stored User Names and Passwords.  Restart the computer.

     

    Friday, January 21, 2011 9:36 PM
  • This worked for us!  Almost four months of struggling with this.  Thank you so much!!

    Tuesday, May 10, 2011 8:12 PM
  • I have the same problem. I tried the suggested solution, however there were no stored passwords.

    Any other ideas?

    Thursday, September 08, 2011 7:55 PM
  • I used the same approach, but still doing the lockout.

     

    Microsoft Support found the problem for us.  Our domain accounts were locking when a Windows 7 computer was started.  The Windows 7 computer had a hidden old password from that domain account.

    There are passwords that can be stored in the SYSTEM context that can't be seen in the normal Credential Manager view.

    Download PsExec.exe from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it to C:\Windows\System32 .

    From a command prompt run:    psexec -i -s -d cmd.exe

    From the new DOS window run:  rundll32 keymgr.dll,KRShowKeyMgr

    Remove any items that appear in the list of Stored User Names and Passwords.  Restart the computer.

     


    Tuesday, September 13, 2011 7:30 PM
  • This solved my problem too!  But be carefull about deleting ANY stored credentials.  It is normal for scheduled tasks to store credentials in the context of the system account.    I found one entry that needed to be deleted, for a file server that was used by some of my scheduled tasks.  It seems that entry was being used for any access to the file server by tasks that ran under system account....causing the task to fail and the account in the stored credential to be locked.  Deleting the superflous credential entry (but not the stored credentials for other scheduled tasks) solved the problem!
    Tuesday, January 24, 2012 6:02 PM
  • Hi,

    unfortunately, we got the same issue on some machines. On an affected client there are no stored information. The domain user accounts are locked 5 - 6 times a day. Any (other) ideas?

    Greetings


    Thursday, April 26, 2012 7:15 AM
  • Yes, it works. I've tried to solve this issue for a year and a half. I'm so glad :)

    But what's the reason? Why credentials become hidden and of course wrong?

    Monday, September 03, 2012 11:08 AM
  • Allright. Just what i needed. I was troubleshooting this for two days now.

    First run from the command line rundll32 keymgr.dll,KRShowKeyMgr and remove any passwords that you might suspect would cause the problems from the USERS storage.

    Restart the computer.

    In case this didn't help proceed with

    Download PsExec.exe from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it to C:\Windows\System32 .
    From a command prompt run:    psexec -i -s -d cmd.exe
    From the new DOS window run: rundll32 keymgr.dll,KRShowKeyMgr

    Restart the computer.

    For everyone that may try this. The psexec command line is important. You have to run it before the kymgr.dll command line so that you access the storage under SYSTEM context.

    Thanks for the help, this realy helped.

    BR.

    Thursday, September 13, 2012 11:41 AM
  • I have this same problem, only there are a multiple computers with the embeded credential. Remoting into each to apply the solution will be extremely time consuming.

    Is there a way to script this and run it remotely against the list of computers?

    Thank you.

    JP

    Sunday, September 23, 2012 5:41 AM
  • Microsoft Support found the problem for us.  Our domain accounts were locking when a Windows 7 computer was started.  The Windows 7 computer had a hidden old password from that domain account.

    There are passwords that can be stored in the SYSTEM context that can't be seen in the normal Credential Manager view.

    Download PsExec.exe from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it to C:\Windows\System32 .

    From a command prompt run:    psexec -i -s -d cmd.exe

    From the new DOS window run:  rundll32 keymgr.dll,KRShowKeyMgr

    Remove any items that appear in the list of Stored User Names and Passwords.  Restart the computer.

     

    This was the solution for me too. Apparently, I had logged into file server from user's laptop and of course, our network passwords had changed. Each day, my own account would become locked out and with the help of our System Engineers, I was able to track down which user's laptop this was happening from.
    Monday, December 03, 2012 3:52 PM
  • This was the solution for me too. Apparently, I had logged into file server from user's laptop and of course, our network passwords had changed. Each day, my own account would become locked out and with the help of our System Engineers, I was able to track down which user's laptop this was happening from.


    Have you found the reason? I mean why computers can't recieve a new password from the AD server. Is it a Kerberos issue or something like that?
    Tuesday, December 04, 2012 7:16 AM
  • Many thanks for a perfect solution to a problem that had me baffled for over a month.  I'm quite perplexed why authentication to a resource would have been cached and made so difficult to remove.

    Also critical to the resolution is to inspect your AD server's Security event log for ID 644 which will list the offending computer or ID 675 which will list the IP address.  In my case, the problem was not just my computer but a few others that had my cached credentials.

    Again, many thanks!

    Thursday, February 14, 2013 7:22 PM
  • I have encountered the same issue on our Windows 7 deployment and from a bit of digging it looks like all our Windows 7 computers have cached the password.

    Is there anyway of running this through a command to flush the credentials stored in the System context?

    Thursday, July 18, 2013 10:11 AM

  • @Victor Selvaraj


    Thanks for posting. This was the solution for us as well. Thanks for hte positive contribution to the community.
    • Edited by ZackinMA Thursday, September 19, 2013 3:34 PM
    Thursday, September 19, 2013 3:34 PM
  • My Win7 got same problem too, I asked AD manager and he gave me a list of "who or which computer blocked your account", i check their system but i didnt find any saved passowrd in my compter and other computer, is there any solution can resolve this issue?

    包山包海的工作

    Tuesday, November 05, 2013 4:48 AM
  • After three days of chasing this issue on multiple machines, I ran across this blog.  Please make sure that when you run through this process that you are logged in as a local admin and have the command prompt elevated.  If you don't, you may not see the "new DOS" window appear. (This is key to the process).
    Thursday, September 04, 2014 7:17 PM
  • I got a similar one recently and manage to fix it. You may follow the below steps.

    • Login into the machine as a user with Admin privilege.
    • On Run, type control userpasswords2. Click Advanced tab, Click Manage passwords and see whether there are any entries. If yes, clear them off.
    • As mentioned by Victor, Download PsExec.exe and copy it to C:\Windows\System32 .

    From a command prompt run:    psexec -i -s -d cmd.exe

    From the new DOS window run:  rundll32 keymgr.dll,KRShowKeyMgr

    Remove any items that appear in the list of Stored User Names and Passwords

    • Unjoin the machine from the domain and try doing these steps. You may be surprised to see the domains accounts that are cached.
    • Rejoin the machine to the domain and check.

    This should solve the account lockout issue.


    Friday, October 10, 2014 6:43 PM
  • Thank you very much for sharing the solution, that worked for me on a Windows 2008R2 Server that was locking out one account.
    Monday, November 03, 2014 12:28 PM
  • Super.. thanks a lot
    Friday, October 30, 2015 7:38 AM
  • Even simpler just run the command via powershell

    rundll32 keymgr.dll,KRShowKeyMgr

    Tuesday, August 22, 2017 5:11 AM