none
Fishy Account lockout with EventID 4740 without caller computer name:

    Question

  • Greetings,

    On my 3 domain controller network with only 200 users, several users are getting locked out frequently, after runining the account lockout tool, i am getting Caller Computer Name:  *(blank), how do i further troubleshoot this.

    4740,AUDIT SUCCESS,Microsoft-Windows-Security-Auditing,Mon Sep 12 17:53:59 2011,No User,A user account was locked out.    Subject:   Security ID:  S-1-5-18   Account Name:  TRCSNA01PDC00$   Account Domain:  derpherpderp   Logon ID:  0x3e7    Account That Was Locked Out:   Security ID:  S-1-5-21-3565604916-139569381-2277910863-1198   Account Name:  tjohnsen    Additional Information:   Caller Computer Name:          < no computer name

     

    Thank You

     

    • Edited by NTFS68 Wednesday, September 14, 2011 5:01 AM
    Tuesday, September 13, 2011 7:31 AM

Answers

  • Hi,

     

    Based on my research, the empty "Caller Computer Name" occurs because of the following:

     

    1. There is no secure method for the KDC to get the remote machine's name at the current time. If the client provides the name (as in NTLM), then it's not trustworthy and can be spoofed. There are Unix-based hacking tools which spoof workstation name in NTLM auth requests.

     

    2. DNS and NetBIOS reverse lookup are not secure and are not reliable- if we tried this, we'd have a high incidence of incorrect or missing information, and hurt performance.

     

    3. Even if we chose to do add the name anyway, when we could, there's no field for us to use to carry it in Kerberos AS REQ & TGS REQ messages- we'd have to overload some other field, and run a high risk of loss of compatibility with MIT's reference implementation.

     

    This problem may not occur on all the Account lockout events. Please check if we can find any clue in other related events.

     

    For more information about Account Lockout troubleshooting, refer to:

     

    Troubleshooting Account Lockout

    http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

     

    Account Lockout Tools

    http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

     

    Hope this helps.

     

    Regards,

    Bruce

    • Marked as answer by Bruce-Liu Tuesday, September 20, 2011 2:34 AM
    Thursday, September 15, 2011 7:43 AM

All replies