hidden hit counter
Help!

Help in finding account lockout source

 
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Active Directory RSS
Next:  Removed Domain Controller still resolves after re..  
Author Message
SteveO
External


Since: May 25, 2006
Posts: 3



PostPosted: Thu May 25, 2006 11:38 am    Post subject: Help in finding account lockout source
Archived from groups: microsoft>public>win2000>active_directory (more info?)

Since changing passwords a couple of weeks ago I have an account that
keeps getting locked out. In the past when this has happened the event
viewer gave me the IP of the offending computer; this time it appears
that the domain controller itself is the one locking the account. I
have checked all services and scheduled tasks with no luck. I followed
all the account lockout troubleshooting steps and have gotten a bit
more information but I am still not able to find the source. Here is
the event log error:
A Kerberos Error Message was received:
on logon session FQDN\dcname$
Client Time:
Server Time: 23:51:33.0000 5/24/2006 Z
Error Code: 0x18 KDC_ERR_PREAUTH_FAILED
Extended Error:
Client Realm:
Client Name:
Server Realm: DOMAIN
Server Name: krbtgt/DOMAIN
Target Name: krbtgt/DOMAIN@DOMAIN
Error Text:
File: e
Line: 6bc
Error Data is in record data. (the data names the account in
question.)

My kerberos debug log says this:

1168.748> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC
logon session for 0:0xb666e, accepting 0:0x3e7
1168.3104> Kerb-LSess: KerbFindCommonPaEtype using current password of
acct@domain
1168.3104> Kerb-Error: KerbCallKdc failed: error 0x18.
d:\nt\ds\security\protocols\kerberos\client2\logonapi.cxx, line 1715
1168.3104> Kerb-Warn: KerbFindCommonPaEtype using old password of
acct@domain
1168.3104> Kerb-LSess: KerbFindCommonPaEtype using current password of
acct@domain
1168.3104> Kerb-Warn: KerbFindCommonPaEtype using old password of
acct@domain
1168.3104> Kerb-Error: GetAuthenticationTicket: Failed to build
pre-auth data: 0xc000006a.
d:\nt\ds\security\protocols\kerberos\client2\logonapi.cxx,

Anyone have an idea of where to go next?

TIA,
Steve
Back to top
akumar
External


Since: May 30, 2006
Posts: 1



PostPosted: Tue May 30, 2006 9:13 am    Post subject: Re: Help in finding account lockout source [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Hey Steve,

I have been facing the same issue since last 20-30 days. we have been
trying to work with Microsoft support but they event din't provide us
any solution.
if you resolve your issue please let me too in resolving the isssue.

regards,
Ajay

SteveO wrote:
> Since changing passwords a couple of weeks ago I have an account that
> keeps getting locked out. In the past when this has happened the event
> viewer gave me the IP of the offending computer; this time it appears
> that the domain controller itself is the one locking the account. I
> have checked all services and scheduled tasks with no luck. I followed
> all the account lockout troubleshooting steps and have gotten a bit
> more information but I am still not able to find the source. Here is
> the event log error:
> A Kerberos Error Message was received:
> on logon session FQDN\dcname$
> Client Time:
> Server Time: 23:51:33.0000 5/24/2006 Z
> Error Code: 0x18 KDC_ERR_PREAUTH_FAILED
> Extended Error:
> Client Realm:
> Client Name:
> Server Realm: DOMAIN
> Server Name: krbtgt/DOMAIN
> Target Name: krbtgt/DOMAIN@DOMAIN
> Error Text:
> File: e
> Line: 6bc
> Error Data is in record data. (the data names the account in
> question.)
>
> My kerberos debug log says this:
>
> 1168.748> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC
> logon session for 0:0xb666e, accepting 0:0x3e7
> 1168.3104> Kerb-LSess: KerbFindCommonPaEtype using current password of
> acct@domain
> 1168.3104> Kerb-Error: KerbCallKdc failed: error 0x18.
> d:\nt\ds\security\protocols\kerberos\client2\logonapi.cxx, line 1715
> 1168.3104> Kerb-Warn: KerbFindCommonPaEtype using old password of
> acct@domain
> 1168.3104> Kerb-LSess: KerbFindCommonPaEtype using current password of
> acct@domain
> 1168.3104> Kerb-Warn: KerbFindCommonPaEtype using old password of
> acct@domain
> 1168.3104> Kerb-Error: GetAuthenticationTicket: Failed to build
> pre-auth data: 0xc000006a.
> d:\nt\ds\security\protocols\kerberos\client2\logonapi.cxx,
>
> Anyone have an idea of where to go next?
>
> TIA,
> Steve
Back to top
SteveO
External


Since: May 25, 2006
Posts: 3



PostPosted: Tue May 30, 2006 3:10 pm    Post subject: Re: Help in finding account lockout source [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

I have tried this, the Netlogon logs make it appear that the lockout is
coming from the domain controller itself.

The netlogon debug produces:
05/30 11:07:09 [MAILSLOT] Received ping from DC.DOM.COM (null) on
<Local>
05/30 11:07:09 [MISC] NetpDcGetName: DOM.COM cache is too old. 1988266
05/30 11:07:09 [MAILSLOT] NetpDcPingListIp: DOM.COM: Sent UDP ping to
192.168.19.46
05/30 11:07:09 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to
DC2.dom.com
05/30 11:07:09 [MISC] NlPingDcNameWithContext: DC2.dom.com responded
over IP.
05/30 11:07:09 [MISC] NetpDcGetName: DOM.COM using cached information
05/30 11:07:09 [MISC] BEND: DsGetDcName function returns 0:
Dom:CI.BEND.OR.US Acct:(null) Flags: PDC IP

here are some event logs:

Pre-authentication failed:
User Name: user
User ID: DOM/user
Service Name: krbtgt/DOM
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1

Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: CN=Server,CN=System,DC=domain,DC=com
Handle ID: -
Operation ID: {0,28754813}
Process ID: 1112
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name: DC$
Primary Domain: BEND
Primary Logon ID: (0x0,0x3E7)
Client User Name: ANONYMOUS LOGON
Client Domain: NT AUTHORITY

TIA,
Steve
Back to top
SteveO
External


Since: May 25, 2006
Posts: 3



PostPosted: Tue May 30, 2006 6:13 pm    Post subject: Re: Help in finding account lockout source [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Well I found it by sheer luck and coincidence. One of the techs called
me about an DHCP address reservation and as I was poking around the
server config I looked at the Advanced tab and then the credentials
button. Sure enough there was the offending account. I was having
trouble with Dynamic DNS and used this account to troubleshoot and
forgot all about it; sloppy administration. You would have thought
that somewhere in the logs it would have mentioned DHCP. It was also
why sometimes it would take an hour to lock the account (later in the
day) and sometimes it would lock in 5 minutes (in the morning).
Thanks for trying! Hopefully this will help someone.
Steve
Back to top
Jorge de Almeida Pinto [M
External


Since: Jan 18, 2006
Posts: 273



PostPosted: Tue May 30, 2006 7:13 pm    Post subject: Re: Help in finding account lockout source [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

have you tried to use netlogon debug logging?
http://support.microsoft.com/?id=109626

start at the PDC fsmo, which will tell what DC and that DC will tell what
server/client and then search the client/server for batch scripts, scheduled
tasks, services or anything else that uses an account in the domain

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
wrote in message

> Hey Steve,
>
> I have been facing the same issue since last 20-30 days. we have been
> trying to work with Microsoft support but they event din't provide us
> any solution.
> if you resolve your issue please let me too in resolving the isssue.
>
> regards,
> Ajay
>
> SteveO wrote:
>> Since changing passwords a couple of weeks ago I have an account that
>> keeps getting locked out. In the past when this has happened the event
>> viewer gave me the IP of the offending computer; this time it appears
>> that the domain controller itself is the one locking the account. I
>> have checked all services and scheduled tasks with no luck. I followed
>> all the account lockout troubleshooting steps and have gotten a bit
>> more information but I am still not able to find the source. Here is
>> the event log error:
>> A Kerberos Error Message was received:
>> on logon session FQDN\dcname$
>> Client Time:
>> Server Time: 23:51:33.0000 5/24/2006 Z
>> Error Code: 0x18 KDC_ERR_PREAUTH_FAILED
>> Extended Error:
>> Client Realm:
>> Client Name:
>> Server Realm: DOMAIN
>> Server Name: krbtgt/DOMAIN
>> Target Name: krbtgt/DOMAIN@DOMAIN
>> Error Text:
>> File: e
>> Line: 6bc
>> Error Data is in record data. (the data names the account in
>> question.)
>>
>> My kerberos debug log says this:
>>
>> 1168.748> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC
>> logon session for 0:0xb666e, accepting 0:0x3e7
>> 1168.3104> Kerb-LSess: KerbFindCommonPaEtype using current password of
>> acct@domain
>> 1168.3104> Kerb-Error: KerbCallKdc failed: error 0x18.
>> d:\nt\ds\security\protocols\kerberos\client2\logonapi.cxx, line 1715
>> 1168.3104> Kerb-Warn: KerbFindCommonPaEtype using old password of
>> acct@domain
>> 1168.3104> Kerb-LSess: KerbFindCommonPaEtype using current password of
>> acct@domain
>> 1168.3104> Kerb-Warn: KerbFindCommonPaEtype using old password of
>> acct@domain
>> 1168.3104> Kerb-Error: GetAuthenticationTicket: Failed to build
>> pre-auth data: 0xc000006a.
>> d:\nt\ds\security\protocols\kerberos\client2\logonapi.cxx,
>>
>> Anyone have an idea of where to go next?
>>
>> TIA,
>> Steve
>
Back to top
Jorge de Almeida Pinto [M
External


Since: Jan 18, 2006
Posts: 273



PostPosted: Wed May 31, 2006 1:33 am    Post subject: Re: Help in finding account lockout source [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

try what is specified here:
http://www.eksternkompetanse.no/blog/PermaLink,guid,43f143b3-f389-4946-9bdf-21a1b787f5cb.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"SteveO" wrote in message

>I have tried this, the Netlogon logs make it appear that the lockout is
> coming from the domain controller itself.
>
> The netlogon debug produces:
> 05/30 11:07:09 [MAILSLOT] Received ping from DC.DOM.COM (null) on
> <Local>
> 05/30 11:07:09 [MISC] NetpDcGetName: DOM.COM cache is too old. 1988266
> 05/30 11:07:09 [MAILSLOT] NetpDcPingListIp: DOM.COM: Sent UDP ping to
> 192.168.19.46
> 05/30 11:07:09 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to
> DC2.dom.com
> 05/30 11:07:09 [MISC] NlPingDcNameWithContext: DC2.dom.com responded
> over IP.
> 05/30 11:07:09 [MISC] NetpDcGetName: DOM.COM using cached information
> 05/30 11:07:09 [MISC] BEND: DsGetDcName function returns 0:
> Dom:CI.BEND.OR.US Acct:(null) Flags: PDC IP
>
> here are some event logs:
>
> Pre-authentication failed:
> User Name: user
> User ID: DOM/user
> Service Name: krbtgt/DOM
> Pre-Authentication Type: 0x2
> Failure Code: 0x18
> Client Address: 127.0.0.1
>
> Object Open:
> Object Server: Security Account Manager
> Object Type: SAM_SERVER
> Object Name: CN=Server,CN=System,DC=domain,DC=com
> Handle ID: -
> Operation ID: {0,28754813}
> Process ID: 1112
> Process Name: C:\WINDOWS\system32\lsass.exe
> Primary User Name: DC$
> Primary Domain: BEND
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: ANONYMOUS LOGON
> Client Domain: NT AUTHORITY
>
> TIA,
> Steve
>
Back to top
Ajay Kumar
External


Since: May 31, 2006
Posts: 1



PostPosted: Wed May 31, 2006 10:31 pm    Post subject: Re: Help in finding account lockout source [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Hi guys,
my problem still presisting, i have enable the audit log and here is the one
below, please help me in resloving this issue.it is the issue accounts are
getting locked.

------
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 5/31/2006
Time: 6:07:21 PM
User: NT AUTHORITY\SYSTEM
Computer: INDIA06
Description:
Pre-authentication failed:
User Name: Administrator
User ID: INDUCTIS\Administrator
Service Name: krbtgt/INDUCTIS.COM
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 10.0.3.120


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
------

Regards,
-Ajay




--
Ajay Kumar
(Sr.System admin)
Inductis Inc.
"SteveO" wrote in message

> Since changing passwords a couple of weeks ago I have an account that
> keeps getting locked out. In the past when this has happened the event
> viewer gave me the IP of the offending computer; this time it appears
> that the domain controller itself is the one locking the account. I
> have checked all services and scheduled tasks with no luck. I followed
> all the account lockout troubleshooting steps and have gotten a bit
> more information but I am still not able to find the source. Here is
> the event log error:
> A Kerberos Error Message was received:
> on logon session FQDN\dcname$
> Client Time:
> Server Time: 23:51:33.0000 5/24/2006 Z
> Error Code: 0x18 KDC_ERR_PREAUTH_FAILED
> Extended Error:
> Client Realm:
> Client Name:
> Server Realm: DOMAIN
> Server Name: krbtgt/DOMAIN
> Target Name: krbtgt/DOMAIN@DOMAIN
> Error Text:
> File: e
> Line: 6bc
> Error Data is in record data. (the data names the account in
> question.)
>
> My kerberos debug log says this:
>
> 1168.748> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC
> logon session for 0:0xb666e, accepting 0:0x3e7
> 1168.3104> Kerb-LSess: KerbFindCommonPaEtype using current password of
> acct@domain
> 1168.3104> Kerb-Error: KerbCallKdc failed: error 0x18.
> d:\nt\ds\security\protocols\kerberos\client2\logonapi.cxx, line 1715
> 1168.3104> Kerb-Warn: KerbFindCommonPaEtype using old password of
> acct@domain
> 1168.3104> Kerb-LSess: KerbFindCommonPaEtype using current password of
> acct@domain
> 1168.3104> Kerb-Warn: KerbFindCommonPaEtype using old password of
> acct@domain
> 1168.3104> Kerb-Error: GetAuthenticationTicket: Failed to build
> pre-auth data: 0xc000006a.
> d:\nt\ds\security\protocols\kerberos\client2\logonapi.cxx,
>
> Anyone have an idea of where to go next?
>
> TIA,
> Steve
>
Back to top
Yankee
External


Since: Apr 09, 2009
Posts: 1



PostPosted: Thu Apr 09, 2009 4:10 am    Post subject: Re: Help in finding account lockout source [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

SteveO;1904315 Wrote:
> Well I found it by sheer luck and coincidence. One of the techs called
> me about an DHCP address reservation and as I was poking around the
> server config I looked at the Advanced tab and then the credentials
> button. Sure enough there was the offending account. I was having
> trouble with Dynamic DNS and used this account to troubleshoot and
> forgot all about it; sloppy administration. You would have thought
> that somewhere in the logs it would have mentioned DHCP. It was also
> why sometimes it would take an hour to lock the account (later in the
> day) and sometimes it would lock in 5 minutes (in the morning).
> Thanks for trying! Hopefully this will help someone.
> Steve



STEVE!!! You are the Man! Do you realize that what you have
mentioned....Literally no one, no-one on the darn internet, I'm talking
technet, petri, every site out there and no one had this as a solution.
I know because I have been putting up with this for over a year!

This was caused by following Microsoft's Best Practices and changing
the default Admin name. After this was done I would get THOUSANDS of
672 Errors a day. I didn't just put it back because we had an admin
leave and I had to change the password anyway, which as I tested, also
caused this error apart from the name change. Long story short, I just
set aside another 8straight hours today to again tackle this issue and
this was the last article I came across...

Much Thanks!


--
Yankee
------------------------------------------------------------------------
Yankee's Profile: http://domain_deleted/members/88504.htm
View this thread: http://domain_deleted/windows-2000-active-directory/518196.htm

http://domain_deleted
Back to top
Pacerfan9
External


Since: Sep 02, 2009
Posts: 1



PostPosted: Wed Sep 02, 2009 4:10 pm    Post subject: Re: Help in finding account lockout source [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

After we changed a user account I had the same problem as well. Seeing
the failure comming from 127.0.0.1 was a real puzzler. Thanks for
posting you question AND solution!


--
Pacerfan9
------------------------------------------------------------------------
Pacerfan9's Profile: http://domain_deleted/members/131431.htm
View this thread: http://domain_deleted/windows-2000-active-directory/518196.htm

http://domain_deleted
Back to top
Pixa



Joined: Jul 08, 2010
Posts: 1



PostPosted: Thu Jul 08, 2010 6:24 pm    Post subject: Re: Help in finding account lockout source [Login to view extended thread Info.]

SteveO wrote:
Well I found it by sheer luck and coincidence. One of the techs called
me about an DHCP address reservation and as I was poking around the
server config I looked at the Advanced tab and then the credentials
button. Sure enough there was the offending account. I was having
trouble with Dynamic DNS and used this account to troubleshoot and
forgot all about it; sloppy administration. You would have thought
that somewhere in the logs it would have mentioned DHCP. It was also
why sometimes it would take an hour to lock the account (later in the
day) and sometimes it would lock in 5 minutes (in the morning).
Thanks for trying! Hopefully this will help someone.
Steve


Hey SteveO, i must say, you'r the man Smile
i only registered to this site to say thank you, i lost a day troubleshooting, and looking through events and netlogon logs, before i saw your post.

Thanks
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Active Directory All times are: Eastern Time (US & Canada)
Page 1 of 1

 
You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum