Help in finding account lockout source


S

SteveO

Since changing passwords a couple of weeks ago I have an account that
keeps getting locked out. In the past when this has happened the event
viewer gave me the IP of the offending computer; this time it appears
that the domain controller itself is the one locking the account. I
have checked all services and scheduled tasks with no luck. I followed
all the account lockout troubleshooting steps and have gotten a bit
more information but I am still not able to find the source. Here is
the event log error:
A Kerberos Error Message was received:
on logon session FQDN\dcname$
Client Time:
Server Time: 23:51:33.0000 5/24/2006 Z
Error Code: 0x18 KDC_ERR_PREAUTH_FAILED
Extended Error:
Client Realm:
Client Name:
Server Realm: DOMAIN
Server Name: krbtgt/DOMAIN
Target Name: krbtgt/[email protected]
Error Text:
File: e
Line: 6bc
Error Data is in record data. (the data names the account in
question.)

My kerberos debug log says this:

1168.748> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC
logon session for 0:0xb666e, accepting 0:0x3e7
1168.3104> Kerb-LSess: KerbFindCommonPaEtype using current password of
[email protected]
1168.3104> Kerb-Error: KerbCallKdc failed: error 0x18.
d:\nt\ds\security\protocols\kerberos\client2\logonapi.cxx, line 1715
1168.3104> Kerb-Warn: KerbFindCommonPaEtype using old password of
[email protected]
1168.3104> Kerb-LSess: KerbFindCommonPaEtype using current password of
[email protected]
1168.3104> Kerb-Warn: KerbFindCommonPaEtype using old password of
[email protected]
1168.3104> Kerb-Error: GetAuthenticationTicket: Failed to build
pre-auth data: 0xc000006a.
d:\nt\ds\security\protocols\kerberos\client2\logonapi.cxx,

Anyone have an idea of where to go next?

TIA,
Steve
 
Ad

Advertisements

A

akumar

Hey Steve,

I have been facing the same issue since last 20-30 days. we have been
trying to work with Microsoft support but they event din't provide us
any solution.
if you resolve your issue please let me too in resolving the isssue.

regards,
Ajay
 
J

Jorge de Almeida Pinto [MVP]

have you tried to use netlogon debug logging?
http://support.microsoft.com/?id=109626

start at the PDC fsmo, which will tell what DC and that DC will tell what
server/client and then search the client/server for batch scripts, scheduled
tasks, services or anything else that uses an account in the domain

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
 
S

SteveO

I have tried this, the Netlogon logs make it appear that the lockout is
coming from the domain controller itself.

The netlogon debug produces:
05/30 11:07:09 [MAILSLOT] Received ping from DC.DOM.COM (null) on
<Local>
05/30 11:07:09 [MISC] NetpDcGetName: DOM.COM cache is too old. 1988266
05/30 11:07:09 [MAILSLOT] NetpDcPingListIp: DOM.COM: Sent UDP ping to
192.168.19.46
05/30 11:07:09 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to
DC2.dom.com
05/30 11:07:09 [MISC] NlPingDcNameWithContext: DC2.dom.com responded
over IP.
05/30 11:07:09 [MISC] NetpDcGetName: DOM.COM using cached information
05/30 11:07:09 [MISC] BEND: DsGetDcName function returns 0:
Dom:CI.BEND.OR.US Acct:(null) Flags: PDC IP

here are some event logs:

Pre-authentication failed:
User Name: user
User ID: DOM/user
Service Name: krbtgt/DOM
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1

Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: CN=Server,CN=System,DC=domain,DC=com
Handle ID: -
Operation ID: {0,28754813}
Process ID: 1112
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name: DC$
Primary Domain: BEND
Primary Logon ID: (0x0,0x3E7)
Client User Name: ANONYMOUS LOGON
Client Domain: NT AUTHORITY

TIA,
Steve
 
S

SteveO

Well I found it by sheer luck and coincidence. One of the techs called
me about an DHCP address reservation and as I was poking around the
server config I looked at the Advanced tab and then the credentials
button. Sure enough there was the offending account. I was having
trouble with Dynamic DNS and used this account to troubleshoot and
forgot all about it; sloppy administration. You would have thought
that somewhere in the logs it would have mentioned DHCP. It was also
why sometimes it would take an hour to lock the account (later in the
day) and sometimes it would lock in 5 minutes (in the morning).
Thanks for trying! Hopefully this will help someone.
Steve
 
Ad

Advertisements

A

Ajay Kumar

Hi guys,
my problem still presisting, i have enable the audit log and here is the one
below, please help me in resloving this issue.it is the issue accounts are
getting locked.

------
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 5/31/2006
Time: 6:07:21 PM
User: NT AUTHORITY\SYSTEM
Computer: INDIA06
Description:
Pre-authentication failed:
User Name: Administrator
User ID: INDUCTIS\Administrator
Service Name: krbtgt/INDUCTIS.COM
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 10.0.3.120


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top