Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Help in finding account lockout source

229 views
Skip to first unread message

SteveO

unread,
May 25, 2006, 10:38:36 AM5/25/06
to
Since changing passwords a couple of weeks ago I have an account that
keeps getting locked out. In the past when this has happened the event
viewer gave me the IP of the offending computer; this time it appears
that the domain controller itself is the one locking the account. I
have checked all services and scheduled tasks with no luck. I followed
all the account lockout troubleshooting steps and have gotten a bit
more information but I am still not able to find the source. Here is
the event log error:
A Kerberos Error Message was received:
on logon session FQDN\dcname$
Client Time:
Server Time: 23:51:33.0000 5/24/2006 Z
Error Code: 0x18 KDC_ERR_PREAUTH_FAILED
Extended Error:
Client Realm:
Client Name:
Server Realm: DOMAIN
Server Name: krbtgt/DOMAIN
Target Name: krbtgt/DOMAIN@DOMAIN
Error Text:
File: e
Line: 6bc
Error Data is in record data. (the data names the account in
question.)

My kerberos debug log says this:

1168.748> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC
logon session for 0:0xb666e, accepting 0:0x3e7
1168.3104> Kerb-LSess: KerbFindCommonPaEtype using current password of
acct@domain
1168.3104> Kerb-Error: KerbCallKdc failed: error 0x18.
d:\nt\ds\security\protocols\kerberos\client2\logonapi.cxx, line 1715
1168.3104> Kerb-Warn: KerbFindCommonPaEtype using old password of
acct@domain
1168.3104> Kerb-LSess: KerbFindCommonPaEtype using current password of
acct@domain
1168.3104> Kerb-Warn: KerbFindCommonPaEtype using old password of
acct@domain
1168.3104> Kerb-Error: GetAuthenticationTicket: Failed to build
pre-auth data: 0xc000006a.
d:\nt\ds\security\protocols\kerberos\client2\logonapi.cxx,

Anyone have an idea of where to go next?

TIA,
Steve

aku...@inductis.com

unread,
May 30, 2006, 8:13:55 AM5/30/06
to
Hey Steve,

I have been facing the same issue since last 20-30 days. we have been
trying to work with Microsoft support but they event din't provide us
any solution.
if you resolve your issue please let me too in resolving the isssue.

regards,
Ajay

Jorge de Almeida Pinto [MVP]

unread,
May 30, 2006, 9:13:20 AM5/30/06
to
have you tried to use netlogon debug logging?
http://support.microsoft.com/?id=109626

start at the PDC fsmo, which will tell what DC and that DC will tell what
server/client and then search the client/server for batch scripts, scheduled
tasks, services or anything else that uses an account in the domain

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
<aku...@inductis.com> wrote in message
news:1148991235.4...@38g2000cwa.googlegroups.com...

SteveO

unread,
May 30, 2006, 2:10:53 PM5/30/06
to
I have tried this, the Netlogon logs make it appear that the lockout is
coming from the domain controller itself.

The netlogon debug produces:
05/30 11:07:09 [MAILSLOT] Received ping from DC.DOM.COM (null) on
<Local>
05/30 11:07:09 [MISC] NetpDcGetName: DOM.COM cache is too old. 1988266
05/30 11:07:09 [MAILSLOT] NetpDcPingListIp: DOM.COM: Sent UDP ping to
192.168.19.46
05/30 11:07:09 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to
DC2.dom.com
05/30 11:07:09 [MISC] NlPingDcNameWithContext: DC2.dom.com responded
over IP.
05/30 11:07:09 [MISC] NetpDcGetName: DOM.COM using cached information
05/30 11:07:09 [MISC] BEND: DsGetDcName function returns 0:
Dom:CI.BEND.OR.US Acct:(null) Flags: PDC IP

here are some event logs:

Pre-authentication failed:
User Name: user
User ID: DOM/user
Service Name: krbtgt/DOM
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1

Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: CN=Server,CN=System,DC=domain,DC=com
Handle ID: -
Operation ID: {0,28754813}
Process ID: 1112
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name: DC$
Primary Domain: BEND
Primary Logon ID: (0x0,0x3E7)
Client User Name: ANONYMOUS LOGON
Client Domain: NT AUTHORITY

TIA,
Steve

Jorge de Almeida Pinto [MVP]

unread,
May 30, 2006, 3:33:37 PM5/30/06
to
try what is specified here:
http://www.eksternkompetanse.no/blog/PermaLink,guid,43f143b3-f389-4946-9bdf-21a1b787f5cb.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"SteveO" <steveh...@hotmail.com> wrote in message
news:1149012653.5...@r44g2000cwb.googlegroups.com...

SteveO

unread,
May 30, 2006, 5:13:11 PM5/30/06
to
Well I found it by sheer luck and coincidence. One of the techs called
me about an DHCP address reservation and as I was poking around the
server config I looked at the Advanced tab and then the credentials
button. Sure enough there was the offending account. I was having
trouble with Dynamic DNS and used this account to troubleshoot and
forgot all about it; sloppy administration. You would have thought
that somewhere in the logs it would have mentioned DHCP. It was also
why sometimes it would take an hour to lock the account (later in the
day) and sometimes it would lock in 5 minutes (in the morning).
Thanks for trying! Hopefully this will help someone.
Steve

Ajay Kumar

unread,
May 31, 2006, 9:01:04 AM5/31/06
to
Hi guys,
my problem still presisting, i have enable the audit log and here is the one
below, please help me in resloving this issue.it is the issue accounts are
getting locked.

------
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 5/31/2006
Time: 6:07:21 PM
User: NT AUTHORITY\SYSTEM
Computer: INDIA06
Description:
Pre-authentication failed:
User Name: Administrator
User ID: INDUCTIS\Administrator
Service Name: krbtgt/INDUCTIS.COM


Pre-Authentication Type: 0x2
Failure Code: 0x18

Client Address: 10.0.3.120


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
------

Regards,
-Ajay


--
Ajay Kumar
(Sr.System admin)
Inductis Inc.


"SteveO" <steveh...@hotmail.com> wrote in message

news:1148567916....@g10g2000cwb.googlegroups.com...

JeremyL

unread,
Apr 25, 2008, 12:06:42 PM4/25/08
to

I have been trying to track this issue down for some time, with most
web posts telling me to ignore the 350+ errors I got every day. Then I
came across this post and it turned out to be my issue exactly- Just
wanted to chime in and say THANKS STEVE!!!- Your post definitly helped
me, and I'm sure lots of other folks who've been at a loss to explain
their event logs.


--
JeremyL
------------------------------------------------------------------------
JeremyL's Profile: http://forums.techarena.in/member.php?userid=47340
View this thread: http://forums.techarena.in/showthread.php?t=518196

http://forums.techarena.in

Yankee

unread,
Apr 8, 2009, 10:40:50 PM4/8/09
to

STEVE!!! You are the Man! Do you realize that what you have
mentioned....Literally no one, no-one on the darn internet, I'm talking
technet, petri, every site out there and no one had this as a solution.
I know because I have been putting up with this for over a year!

This was caused by following Microsoft's Best Practices and changing
the default Admin name. After this was done I would get THOUSANDS of
672 Errors a day. I didn't just put it back because we had an admin
leave and I had to change the password anyway, which as I tested, also
caused this error apart from the name change. Long story short, I just
set aside another 8straight hours today to again tackle this issue and
this was the last article I came across...

Much Thanks!


--
Yankee
------------------------------------------------------------------------
Yankee's Profile: http://forums.techarena.in/members/88504.htm
View this thread: http://forums.techarena.in/windows-2000-active-directory/518196.htm

http://forums.techarena.in

Pacerfan9

unread,
Sep 2, 2009, 11:02:29 AM9/2/09
to

After we changed a user account I had the same problem as well. Seeing
the failure comming from 127.0.0.1 was a real puzzler. Thanks for
posting you question AND solution!


--
Pacerfan9
------------------------------------------------------------------------
Pacerfan9's Profile: http://forums.techarena.in/members/131431.htm

0 new messages