none
AD account often locked, Event ID: 4771 Task Category: Kerberos Authentication Service RRS feed

 > 

  • 问题

  • Question
    登录进行投票
    0
    登录进行投票

    recently our many AD account often locked.  please see the Event log. the client port is chaning all the time. i felt it's virus scan it . but i don't know how to fix it? 

    our company domain include Window Server 2003 and 2008. 

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          4/27/2015 9:32:12 PM
    Event ID:      4771
    Task Category: Kerberos Authentication Service
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      BLSHDC02.bl.priv
    Description:
    Kerberos pre-authentication failed.

    Account Information:
    Security ID: BL\bole
    Account Name: bole

    Service Information:
    Service Name: krbtgt/BL.PRIV

    Network Information:
    Client Address: ::ffff:10.0.8.17
    Client Port: 1799

    Additional Information:
    Ticket Options: 0x40810010
    Failure Code: 0x18
    Pre-Authentication Type: 2

    Certificate Information:
    Certificate Issuer Name:
    Certificate Serial Number:
    Certificate Thumbprint:

    Certificate information is only provided if a certificate was used for pre-authentication.

    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4771</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>14339</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2015-04-27T13:32:12.807883100Z" />
        <EventRecordID>18932340</EventRecordID>
        <Correlation />
        <Execution ProcessID="672" ThreadID="908" />
        <Channel>Security</Channel>
        <Computer>BLSHDC02.bl.priv</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="TargetUserName">bole</Data>
        <Data Name="TargetSid">S-1-5-21-2651297640-52921627-2357121843-3722</Data>
        <Data Name="ServiceName">krbtgt/BL.PRIV</Data>
        <Data Name="TicketOptions">0x40810010</Data>
        <Data Name="Status">0x18</Data>
        <Data Name="PreAuthType">2</Data>
        <Data Name="IpAddress">::ffff:10.0.8.17</Data>
        <Data Name="IpPort">1799</Data>
        <Data Name="CertIssuerName">
        </Data>
        <Data Name="CertSerialNumber">
        </Data>
        <Data Name="CertThumbprint">
        </Data>
      </EventData>
    </Event>

    thanks.

    Justin

    学无止尽...

    2015年4月27日 13:48
    |

答案

  • Question
    登录进行投票
    0
    登录进行投票

    Hi Justin,

    The 0x18 error indicate this is the Pre-authentication information was invalid, it usually means bad password, please first confirm your accounts using the correct password first and check client nic card settings of the DNS servers, confirm the preferred DNS has point to the DC self,

    Another possible is please refer the following article to confirm whether there have the legacy application and correct their authentication method.

    Secrets of Active Directory Lockouts: How to Find Apps with Stale Credentials

    http://blog.varonis.com/secrets-active-directory-lockouts-find-apps-stale-credentials/

    AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

    https://technet.microsoft.com/en-us/library/cc770842%28WS.10%29.aspx?f=255&MSPPError=-2147217396

    More related third party article:

    4771: Kerberos pre-authentication failed

    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771

    I’m glad to be of help to you!

    *** This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. ***

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    2015年4月29日 10:16
    |
    版主