Authentication issue

[Ken Richmond]

Hi,

Windows 2000 domain, XP SP2 Desktop, roaming profile. Two servers (one
running Exchange 2000), both DC's.

The user changes his password and all appears well. Soon after, the user
complains that he get's prompted for a password when accessing resources on
the email server (either email or shares). Trying to log in with either the
old or new password fails. Multiple failed attempts eventually lock out the
account.

Not sure where to go with this. Would appreciate any suggestions.

Cheers,
Ken

 

[Vincent Xu [MSFT]]

Hi Ken,

Generally, troubleshooting account lockout issue is complicated. We need to
confirm which client computer is causing the account lockout issue first
(in most cases it should be that problematic user's computer, however, to
ensure that we begin the troubleshooting in the right way, we need to
double confirm this). After that, we need to check which
process/application on that computer keeps causing the problem.

Based on my research on some common encountered account lockout issues, I
would like to suggest that we check the following:

Suggestions:
=============

1. Please enable the user logon audit in your domain.

To do so, you can configure both the Default Domain Policy and the Default
Domain Controller Policy and enable the following settings:

Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy\
"Audit account logon events"

Please enable both Success and Failure logon audit.

Then, check the audit event logs on the domain controllers to see on which
computer the original bad domain logon attempt occur.

For example, on Windows Server 2003 DCs, we may see event 681 when the user
is locked out. Please check the 681 events for that problematic user
account, and check what the exact "From Workstation" is. It is a DC, please
go to that DC and check the 681 event's "From Workstation" string.

273499 Description of Security Event 681
http://support.microsoft.com/?id=273499

This will tell us whether the original bad domain logon attempt occurs on
the problematic user account's own computer.

2. I am not sure how the account lockout policy is set there. Generally, it
is a best practices suggestion to set the Threshold value to 10 or higher.
This is high enough to rule out user error and low enough to deter hackers,
especially when the password complexity policy is enabled.

Generally, for medium security requirement, the recommended configurations
are:

Reset account lockout counter after: 30
Account lockout duration: 30
Account Lockout Threshold: 10

For high security requirement, the recommendations are:

Reset account lockout counter after: 30
Account lockout duration: 0
Account Lockout Threshold: 10

For more information, please refer to:

Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx

3. If the client computer of that user is running Windows XP. We need to
remove the previous password cache, which may be used by some applications
and therefore cause the account lockout problem.

To do so:

1) Click Start, click Run, type "control userpasswords2" (without the
quotation marks), and then click OK.
2) Click the Advanced tab.
3) Click the "Manage Password" button.
4) Check to see if these domain account's passwords are cached. If so,
remove them.
5) Check if the problem has been resolved now.

For more information, you may refer to the following article:

Q281660:Behavior of Stored User Names and Passwords
http://support.microsoft.com/?id=281660

4. Please ensure that all of the domain controllers, the client computers
and the Office applications have been upgraded with the latest Service Pack
and updates. Please connect to our Windows and Office update websites to
apply the latest patches.

5. On that user's computer, please also check the mapped drive, scheduled
tasks to see if something is still using the previous password of the user.

6. Check whether there are services running with the credentials of the
problematic user account:

Please download the Account Lockout and Management Tools:

Account Lockout and Management Tools
http://www.microsoft.com/downloads/details.aspx?familyid=7af2e69c-91f3-4e63-
8629-b999adde0b9e&displaylang=en

Note: Aloinfo.exe included in the above package helps display all local
services and the account used to start them.

Please logon the problematic client computer as the Local Administrator and
run the following command:

Aloinfo.exe /stored >C:\CachedAcc.txt

Then check the C:\CachedAcc.txt file. If there is any application or
service is running as the problematic user account, please disable it and
then check whether the problem occurs.



Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

 

[Ken Richmond]

Thanks for your help, Vincent.

It was item #3, a cached password. Deleting that fixed the problem.

Cheers,
Ken

 

[Vincent Xu [MSFT]]

Hi,

Glad to provide assistance.

Have a good day!


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------