none
Account Lockout - Source Workstation: CISCO

    Question

  • I've got an odd one where a user in one of our departments has his account locked out every few hours seconds.  I understand that it's probably a service or sorts using her account with the wrong pw...but what's odd is that I see where it authenticates with the DC, but it leaves CISCO as the Source Workstation.  We've got a whole lot of CISCO devices in the environment and it's not in DNS, NETBIOS, etc...so what do you think we might do to trace this?  CISCO doesn't show in any NETMON traces either :o)

     

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          11/25/2011 11:07:09 AM
    Event ID:      4776
    Task Category: Credential Validation
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      IN1ABCDC02.abc.delta.local
    Description:
    The domain controller attempted to validate the credentials for an account.

    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon Account: 1011711
    Source Workstation: CISCO
    Error Code: 0xc000006a

    Friday, November 25, 2011 6:17 AM

Answers


  • As we known, you have narrowed down to the computer which causes the account lockout issue.

    Based on the current situation, we need to drill down to which applications are sending the bad passwords.

    A network trace from the client or just examining which applications and service are running on it and stopping each in turn to isolate the issue will usually be enough.

    TCPView from Sysinternals or Netstat are also good for this kind of investigation, matching the process ID of a service or application that creates a socket connection with a bad password attempt in the Netlogon log of a DC.

    Common contributors can be OS components like Credman with stale passwords, services running under a specific domain account, dumb applications with insufficient retry logic, etc. 

    The Conficker virus was also notorious for attempting brute force password attacks against members of the built-in Administrators group in the Domain.

    Note also that if you have a mixed environment you may get Account Lockout issues when you change passwords on one OS (client-side or DC-side) and then move to another legacy client that doesn't understand the protocol or algorithm used.
     
    For more information, please refer to the following Microsoft TechNet blog:
     
    Troubleshooting account lockout the PSS way
    http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

    I would also recommend to install the latest SP and hotfix on the DC and client PC.Update the virus defination file if not update and do full scan of the DC as well as client.

    Does the user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO's), it locks his account.
    Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).

    Hope this helps.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    • Marked as answer by amit79 Tuesday, November 29, 2011 11:52 AM
    Saturday, November 26, 2011 5:31 AM
  • Folks , So seems to be finally we found the issue as user configured the Wireless on his blackberry device where he did not changed the password and causing the issue. we put that on monitoring will see and update you all ...as of now no bad password count....
    • Marked as answer by amit79 Tuesday, November 29, 2011 11:52 AM
    Tuesday, November 29, 2011 10:04 AM

All replies

  • Pls check if some where else that credential has ben cached.
    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Friday, November 25, 2011 7:02 AM
  • Hello,

    Please check which workstation has IN1ABCDC02 as NetBIOS name.

    Once done, please check that there is no service / application that is running on this computer with a wrong password.

    Also, see that: http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Edited by Mr XMVP Friday, November 25, 2011 12:48 PM CORRECT INFO
    Friday, November 25, 2011 7:08 AM
  • From the log it appears this problem workstation is IN1ABCDC02.abc.delta.local which is causing the lockout, try removing from the domain and see if it works. It can also be due to virus/worm/spyware issue. Take a look at below article too. Netwrix has a good tool might help you.

    http://social.technet.microsoft.com/Forums/en/winserverDS/thread/f39897bb-d7de-4e66-bc69-614478de411d

     

    Regards


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com/


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Friday, November 25, 2011 10:04 AM
    Moderator
  • Awinish , IN1ABCDC02 it's a domain controller so can not remove ... i requested user to change the password .. but after changing also when i ran the account lockout tool it shows that Account is unlock but badpwd count is 6 on the above mentioned DC....
    Friday, November 25, 2011 3:57 PM
  • My bad, i didn't notice its a DC. You can refer article posted in the earlier link and see if it gives any clue. Also could you scan the DC for any spyware/worm issue. If possible give try to netwrix tool, i heard its a great tool.

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com/


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Friday, November 25, 2011 4:02 PM
    Moderator
  • Hi,

    Check the below link if help you, same problem and CISCO was the masked name of the VPN client that was trying to authenticate.

    Also check the account locking out page

    Make suer that all workstations, server and DCs are updated with latest patches, service packs and AV updates.

    There may be many other causes for account locked out.
    •user's account in stored user name and passwords
    •user's account tied to persistent mapped drive
    •user's account as a service account
    •user's account used as an IIS application pool identity
    •user's account tied to a scheduled task
    •un-suspending a virtual machine after a user's pw as changed
    •A SMARTPHONE!!!
    •could be a virus issue.

    Regards,


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    Friday, November 25, 2011 8:36 PM
  • thanks for your reply guys, here i would like to update you that i have gone through the article mentioned by Abhijit and while gng forward tried to disabled the Cisco VPN client service on users desktop but still not use , after that also account was locked out..
    Saturday, November 26, 2011 4:29 AM

  • As we known, you have narrowed down to the computer which causes the account lockout issue.

    Based on the current situation, we need to drill down to which applications are sending the bad passwords.

    A network trace from the client or just examining which applications and service are running on it and stopping each in turn to isolate the issue will usually be enough.

    TCPView from Sysinternals or Netstat are also good for this kind of investigation, matching the process ID of a service or application that creates a socket connection with a bad password attempt in the Netlogon log of a DC.

    Common contributors can be OS components like Credman with stale passwords, services running under a specific domain account, dumb applications with insufficient retry logic, etc. 

    The Conficker virus was also notorious for attempting brute force password attacks against members of the built-in Administrators group in the Domain.

    Note also that if you have a mixed environment you may get Account Lockout issues when you change passwords on one OS (client-side or DC-side) and then move to another legacy client that doesn't understand the protocol or algorithm used.
     
    For more information, please refer to the following Microsoft TechNet blog:
     
    Troubleshooting account lockout the PSS way
    http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

    I would also recommend to install the latest SP and hotfix on the DC and client PC.Update the virus defination file if not update and do full scan of the DC as well as client.

    Does the user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO's), it locks his account.
    Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).

    Hope this helps.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    • Marked as answer by amit79 Tuesday, November 29, 2011 11:52 AM
    Saturday, November 26, 2011 5:31 AM
  • Folks , So seems to be finally we found the issue as user configured the Wireless on his blackberry device where he did not changed the password and causing the issue. we put that on monitoring will see and update you all ...as of now no bad password count....
    • Marked as answer by amit79 Tuesday, November 29, 2011 11:52 AM
    Tuesday, November 29, 2011 10:04 AM