none
Windows 7 - AD Account keeps locking RRS feed

  • Question

  • Hello,

    We are starting to roll out Win7.  We implemented 5 machines so far and 2 of them have a problem where the user's domain account is constantly getting locked (usually several times each day but at random intervals).  The other 3 machines are Ok, but we see errors in the domain controller event log for those also.  The event log entry is at the end of the post (I've redacted some items).  Note that we've tried the following: Removing/re-adding to the domain, running Sysprep to generate a new SID, Disabling Java updater, removing all network drive and network printer mappings, turning off Kerberos pre-authenticaion for the user account in AD, and registry changes to including changing the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.  Any suggestions would be appreciated.

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 675
    Date:  5/15/2012
    Time:  3:05:16 PM
    User:  NT AUTHORITY\SYSTEM
    Computer: (Domain Controler's hostname)

    Description:
    Pre-authentication failed:
      User Name: Redacted
      User ID:  Domain\Redacted
      Service Name: krbtgt/OURDOMAIN.COM
      Pre-Authentication Type: 0x2
      Failure Code: 0x18
      Client Address: 172.16.18.133

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    • Edited by MrMet Tuesday, May 29, 2012 6:25 PM
    Tuesday, May 29, 2012 6:24 PM

Answers

  • Hello , Thanks for posting!

    Usually account lockouts are caused by service accounts/mapped drives/scheduled tasks\disconnected sessions etc. Failure code 0x18 usually means bad password so talked to the users and ensure they dont use wrong password or Bad Password Threshold is not set too low.

    Look at this article to t/s further-

    Troubleshooting Account Lockout
    http://technet.microsoft.com/en-us/library/cc773155%28v=ws.10%29.aspx


    Sachin Gadhave
    MCP, MCSA, MCTS

    Tuesday, May 29, 2012 6:51 PM
  • Hi Lawrence,

    Believe we have found the cause, but not a solution (though possible workarounds).  We use hosted Exchange and the domain in the user ID matches the name of our internal AD domain.  Apparently, Outlook is sending the credentials for hosted Exchange to the domain controller, and since the user ID's are the same as well (ie, domain\jsmith = jsmith@domain.com) the account gets locked.  Apparently, we are not the only one:  http://community.spiceworks.com/topic/151011-hosted-exchange-office-365-causing-domain-lockouts

    This is not an issue with XP, only on Win 7, as there have been some changes in the way Windows 7 authenticates against AD. 

    So, my question is, is Microsoft working on a fix for this issue?  On another forum post, someone mentioned that Microsoft was working on a hotfix.  Any info would be helpful.

    Thanks...

     

    Wednesday, June 6, 2012 2:23 PM
  • I was told by Microsoft that the hotfix would be released by the end of this month.  For customers running with a hybrid of both on premise Exchange and cloud-based Exchange, that hotfix will be released in August.
    Wednesday, June 27, 2012 1:43 PM
  • If anyone else is experiencing this issue, Microsoft released the hotfix:

    Outlook 2007:

    http://support.microsoft.com/kb/2598366

    Outlook 2010:

    http://support.microsoft.com/kb/2598374

    After applying the hotfix, need to add the following registry entry:

    Outlook 2007:

    [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security]

    "DisableWebAuthenticationType"=dword:00000010

    Outlook 2010

    [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security]

    "DisableWebAuthenticationType"=dword:00000010

    • Marked as answer by MrMet Monday, July 9, 2012 8:15 PM
    Monday, July 9, 2012 8:14 PM
  • Not resolved - according to the Microsoft support engineers, this is an Outlook issue and Microsoft is supposed to be issuing a hotfix for this problem by the end of the month. 
    • Edited by MrMet Monday, June 18, 2012 1:51 PM
    • Marked as answer by Lawrence,Moderator Tuesday, June 19, 2012 8:45 AM
    Monday, June 18, 2012 1:50 PM

All replies

  • Hello , Thanks for posting!

    Usually account lockouts are caused by service accounts/mapped drives/scheduled tasks\disconnected sessions etc. Failure code 0x18 usually means bad password so talked to the users and ensure they dont use wrong password or Bad Password Threshold is not set too low.

    Look at this article to t/s further-

    Troubleshooting Account Lockout
    http://technet.microsoft.com/en-us/library/cc773155%28v=ws.10%29.aspx


    Sachin Gadhave
    MCP, MCSA, MCTS

    Tuesday, May 29, 2012 6:51 PM
  • Thanks for the reply.  We have already looked at all of the scenarios in the "Common Causes for Account Lockouts" section, as I mentioned, we already looked at scheduled tasks, printer mappings, network drive mappings.  The bad password threshold is set to 5, not that it is relevant in this case since it happens to EVERY account logged into the Windows 7 machine.  This must be some sort of Active Directory bug or something.  Any other suggestions?

    Tuesday, May 29, 2012 8:22 PM
  • Have you checked for Conficker virus, just in case- http://support.microsoft.com/kb/962007

    See also http://support.microsoft.com/kb/109626 h

    Are these clean install Windows 7 machines? Have you installed any software which ties user credentials. Also disable group policies on these systems to check.


    Sachin Gadhave
    MCP, MCSA, MCTS

    Wednesday, May 30, 2012 5:25 AM
  • Hi,

    Event ID 675 with failure code 0x18 shows Redacted account using incorrect password, the client address 172.16.18.133 identifies the network client that caused this failure. Please perform following steps to troubleshooting:

    1.Check "logon Details" for all service, find the mwadmin account and update the password.
    2.Check Schedule Tasks which run with mwadmin account
    3.Restart Windows to Safe Mode or Clean Boot to check if any third party application is configured to use mwadmin account
    4.Using Account Lockout and Management Tools to troubleshoot account lockouts and to change a user's password

    One more question, have you defined Kerberos Authentication related policy or have your modified Kerberos Authentication related registry before you get these errors?

    Please enable Kerberos event logging on issue computer:

    1. Start Registry Editor.
    2. Add the following registry value:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

    Registry Value:  LogLevel

    Value Type:  REG_DWORD

    Value Data: 0x1

    If the Parameters subkey does not exist, create it.

    You can find any Kerberos-related events in the system log.

    Note Remove this registry value when it is no longer needed so that performance is not degraded on the computer. Also, you can remove this registry value to disable Kerberos event logging on a specific computer.

    For more information please refer to following MS articles:

    Kerberos Authentication Tools and Settings
    http://technet.microsoft.com/en-us/library/cc738673(v=WS.10).aspx
    How to enable Kerberos event logging
    http://support.microsoft.com/kb/262177
    Maintaining and Monitoring Account Lockout
    http://technet.microsoft.com/en-us/library/cc776964(v=WS.10).aspx
    Maintaining and Monitoring Account Lockout

    Hope this helps!<o:p></o:p>

    TechNet Subscriber Support<o:p></o:p>

    If you areTechNet Subscription user and have any feedback on our support quality, please send your feedback here.<o:p></o:p>



    Lawrence

    TechNet Community Support


    Wednesday, May 30, 2012 5:39 AM
    Moderator
  • Hi,

    I would like to confirm what is the current situation? Have you resolved the problem?

    If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.


    Lawrence

    TechNet Community Support

    Monday, June 4, 2012 8:40 AM
    Moderator
  • Hi Lawrence,

    Believe we have found the cause, but not a solution (though possible workarounds).  We use hosted Exchange and the domain in the user ID matches the name of our internal AD domain.  Apparently, Outlook is sending the credentials for hosted Exchange to the domain controller, and since the user ID's are the same as well (ie, domain\jsmith = jsmith@domain.com) the account gets locked.  Apparently, we are not the only one:  http://community.spiceworks.com/topic/151011-hosted-exchange-office-365-causing-domain-lockouts

    This is not an issue with XP, only on Win 7, as there have been some changes in the way Windows 7 authenticates against AD. 

    So, my question is, is Microsoft working on a fix for this issue?  On another forum post, someone mentioned that Microsoft was working on a hotfix.  Any info would be helpful.

    Thanks...

     

    Wednesday, June 6, 2012 2:23 PM
  • Do you use outylook anywhere on those computer to connect to the exchange ?

    The cached credential should be sent in NTLM to the server directly in that case without authentificating to your AD.


    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Wednesday, June 6, 2012 5:01 PM
    Moderator
  • You hit the nail on the head - they SHOULD be.  But apparently not.  Yes we use outlook anywhere and have an autodiscover DNS record for the Exchange server in the cloud.  Suggestions? Thanks...

    Wednesday, June 6, 2012 5:21 PM
  • Well, my first idea would be to confirm to be honest.

    To be sure it use NTLM NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7

    On your hoster, does basic authentification is there too? It could be your NTLM setting in Win7 that is to strict, so the client would fallback to basic auth. Changes in NTLM Authentication

    My last step would be to target a test computer, and wireshark all traffic gooing to your AD for auth, and be sure what process does really auth against your DC. (how to filter for Kerberos traffic)


    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Wednesday, June 6, 2012 5:38 PM
    Moderator
  • We looked at the Kerberos traffic, it is Outlook indeed casuing the issue.  We are using the Windows 7 defaults (not blocking NTLM) except for the fact that we have a GPO set up that disables the use of LM Hash which is a different animal.
    Wednesday, June 6, 2012 6:01 PM
  • I would test without that GPO to be honest. From memory NTLM don't use any Kerberos call. (Or test with a older Outlook) (but it can use LM hash (http://support.microsoft.com/kb/820281  old kb, but it show that NTLM use LM hash some way)

    I did a program in the past that use libNTLM to send NTLM hash to a Exchange 2007/2010 and it's only a 3 phases negotiation on the SSL port, nothing Kerberos there... (link there to show) Outlook fallback to the basic auth scheme for a odd reason.


    MCP | MCTS 70-236: Exchange Server 2007, Configuring




    Wednesday, June 6, 2012 7:43 PM
    Moderator
  • Hi,

    I would like to confirm what is the current situation? Have you resolved the problem?

    If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.



    Lawrence

    TechNet Community Support

    Monday, June 11, 2012 7:41 AM
    Moderator
  • Hello,

    The problem's not resolved, we tested with no GPO's being applied and still the same issue.  Seems like there needs to be a patch to Outlook 2010 for this problem.

    Monday, June 11, 2012 2:34 PM
  • Hi,

    Please check below registry entry in your Windows 7 PC.

    HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover

    "ExcludeScpLookup"=dword:1
    "ExcludeSrvLookup"=dword:1
    "ExcludeSrvRecord"=dword:1

    Make sure these three entry exist, if not exist, create them.

    Check whether this change can fix your issue.

    If it can fix your issue, deploy the registry change through Group Policy refer to following article:

    Deploying Custom Registry Changes through Group Policy
    http://blogs.technet.com/b/askds/archive/2007/08/14/deploying-custom-registry-changes-through-group-policy.aspx

    For more information please refer to following MS articles:

    Autodiscover not working
    <//span>http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/d7239327-23d9-4c2a-a36d-adae493aac07
    Step by step Manual BPOS --> Office 365
    http://community.office365.com/en-us/f/147/p/7474/32719.aspx

    Hope this helps!

    TechNet Subscriber Support

    If you areTechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Lawrence

    TechNet Community Support

    Wednesday, June 13, 2012 7:30 AM
    Moderator
  • Hi,

    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios.

    If the issue still persists and you want to return to this question, please reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    In addition, we'd love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems.

    Thanks!



    Lawrence

    TechNet Community Support

    Monday, June 18, 2012 2:13 AM
    Moderator
  • Not resolved - according to the Microsoft support engineers, this is an Outlook issue and Microsoft is supposed to be issuing a hotfix for this problem by the end of the month. 
    • Edited by MrMet Monday, June 18, 2012 1:51 PM
    • Marked as answer by Lawrence,Moderator Tuesday, June 19, 2012 8:45 AM
    Monday, June 18, 2012 1:50 PM
  • Hi,

    Although this issue has not resolve, fortunately we have track down the source of the problem.

    Let’s waiting for hotfix of this issue.

    And if you have any progress please update in this thread.


    Lawrence

    TechNet Community Support

    Tuesday, June 19, 2012 8:53 AM
    Moderator
  • @Lawerence Lv

    Can you tell us when the expected release date is of these hotfixes? If we open a support request, will they have something we can utilize before the official hotfix release for this issue?

    Wednesday, June 27, 2012 1:21 PM
  • I was told by Microsoft that the hotfix would be released by the end of this month.  For customers running with a hybrid of both on premise Exchange and cloud-based Exchange, that hotfix will be released in August.
    Wednesday, June 27, 2012 1:43 PM
  • If anyone else is experiencing this issue, Microsoft released the hotfix:

    Outlook 2007:

    http://support.microsoft.com/kb/2598366

    Outlook 2010:

    http://support.microsoft.com/kb/2598374

    After applying the hotfix, need to add the following registry entry:

    Outlook 2007:

    [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security]

    "DisableWebAuthenticationType"=dword:00000010

    Outlook 2010

    [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security]

    "DisableWebAuthenticationType"=dword:00000010

    • Marked as answer by MrMet Monday, July 9, 2012 8:15 PM
    Monday, July 9, 2012 8:14 PM
  • Thanks for the feedback, it will help everyone else that got the trouble.

    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Want to follow me ?  |  Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    • Proposed as answer by pmabke Friday, October 19, 2012 2:24 PM
    • Unproposed as answer by pmabke Friday, October 19, 2012 2:24 PM
    Tuesday, July 10, 2012 1:34 AM
    Moderator
  • We had the same problem.  Several users getting locked out.  We used Office 365 (with Office 2010) and recenlty broke our federation because we changed our internal domain name.  The end result was that after our local domain name change a few users ended up with passwords for our network and Office 365.  Only those users with different passwords were having the lockout problems.  We had already applied the hotfix listed in this article (KB2598374), but did not apply the reg fix at this time as I think it's the unmatched passwords causing the problem.

    I hope this helps someone.

    Paul Abke

    Friday, October 19, 2012 2:29 PM
  • The patch alone doesn't solve the problem, you need to apply the reg fix too (the reg fix is profile specific - must be applied to the logged on user).  Once you do that, users can have mismatched passwords and it won't matter.
    Friday, October 19, 2012 4:35 PM
  • awsome

    is there a hotfix for the same issue with office2013 when using hosted exchange

    Thursday, December 19, 2013 10:59 PM
  • Since the hotfix came out before Office 2013, I would assume (or hope) that a hotfix would not be needed, but rather they would have baked it directly into Outlook 2013.  You may still need to implement the registry fix though.
    Friday, December 20, 2013 2:33 PM
  • Hi,

    i can say that also 2008 r2 terminal Server could cause this Problem with some locked ad accounts

    if you use Outlook 2013 !.

    :-)

    So in one customer site there is only one account who is locked out every day.

    I am sure that i can solve this Problem in recreating the ts user Profile where Outlook 2013 is used,
    because no other user has similar effects. Maybe the Problem can also be solved in Clearing the credential store in user account control Panel.

    in my case the terminal Servers sit in other Domain connecting/authenticating to another Domain (different forest!)and maybe the cached credentials are corrupt.

    strange problem
    bye Mathias

    Thursday, May 8, 2014 8:25 AM