Security Failures after Password Change

[Zachary]

Hi everyone,

Recently I have performed a password change on the default domain
administrator account. Before the change was made last Friday I made sure
to find all services and scheduled tasks in our network that were using the
domain admin account and changed them to use their own service account.
After the change all system functionality has been restored. (I.E. Exchange,
Blackberry, our ERP system, everything is working) On top of that, the
domain admin account isn't getting locked out. That should mean that there
isn't anything with a stored password attempting to use the old password.
With all that said, however, I am still receiving security failures in the
event viewer on our primary DC. The failures are below. Any help
understanding these on these would be appreciated.

FYI - In doing research on the 4771 events I have found that the failure
code 0x18 usually means a bad password. What I don't understand is that the
two IP addresses listed with those events are our backup DCs.

------------------------------------------------------------

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 8:32:08 AM
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
Kerberos pre-authentication failed.

Account Information:
Security ID: domain\Administrator
Account Name: Administrator

Service Information:
Service Name: krbtgt/domain

Network Information:
Client Address: ::ffff:10.0.1.254
Client Port: 4240

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for
pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in
RFC 4120.

If the ticket was malformed or damaged during transit and could not be
decrypted, then many fields in this event might not be present.

-------------------------------------------------------------

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 8:32:07 AM
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
Kerberos pre-authentication failed.

Account Information:
Security ID: DOMAIN\Administrator
Account Name: Administrator

Service Information:
Service Name: krbtgt/DOMAIN

Network Information:
Client Address: ::ffff:10.0.1.254
Client Port: 4238

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for
pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in
RFC 4120.

If the ticket was malformed or damaged during transit and could not be
decrypted, then many fields in this event might not be present.

------------------------------------------------------------

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 8:32:01 AM
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
Kerberos pre-authentication failed.

Account Information:
Security ID: DOMAIN\Administrator
Account Name: Administrator

Service Information:
Service Name: krbtgt/DOMAIN

Network Information:
Client Address: ::ffff:10.0.1.249
Client Port: 21106

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for
pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in
RFC 4120.

If the ticket was malformed or damaged during transit and could not be
decrypted, then many fields in this event might not be present.
------------------------------------------------------------

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 8:31:31 AM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
The domain controller attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: EXCHANGESERVER
Error Code: 0xc000006a
-------------------------------------------------------------

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 8:28:49 AM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
The domain controller attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: administrator
Source Workstation: ERPSERVER
Error Code: 0xc000006a
------------------------------------------------------------

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 8:28:49 AM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
The domain controller attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: administrator
Source Workstation: SYTEUTIL
Error Code: 0xc000006a
------------------------------------------------------------

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2009 8:27:01 AM
Event ID: 4769
Task Category: Kerberos Service Ticket Operations
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
A Kerberos service ticket was requested.

Account Information:
Account Name: DC$@DOMAIN.COM
Account Domain: DOMAIN.COM
Logon GUID: {00000000-0000-0000-0000-000000000000}

Service Information:
Service Name: krbtgt/DOMAIN.COM
Service ID: NULL SID

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x60810010
Ticket Encryption Type: 0xffffffff
Failure Code: 0xe
Transited Services: -

This event is generated every time access is requested to a resource such as
a computer or a Windows service. The service name indicates the resource to
which access was requested.

This event can be correlated with Windows logon events by comparing the
Logon GUID fields in each event. The logon event occurs on the machine that
was accessed, which is often a different machine than the domain controller
which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

[Meinolf Weber [MVP-DS]]

Hello Zachary,

Seems that there are still some services/applications running that need the
password change. See also:
http://chicagotech.net/netforums/viewtopic.php?t=4853

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

[Zachary]

If that is the case, shouldn't the domain account be locked out? We have a
lockout policy and if a service or app attempts to validate credentials that
may time unsuccessfully it should lock the account out.

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d889b8...@msnews.microsoft.com...

[Meinolf Weber [MVP-DS]]

Hello Zachary,

The domain administrator will automatically unlock, after being locked out
as soon as the correct password is used.
http://blogs.dirteam.com/blogs/jorge/archive/2006/10/05/The-Default-domain-administrator-account-is-locked_21003F00_.aspx

[Zachary]

Ok, with that being the case, is there more detailed auditing i can turn on
to find out what service or app is attempting to make these authentications?
When i look in the services mmc i don't see any services using the
administrator account for validation and the only in house app being used is
our intranet site and that is clean.

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message

news:6cb2911d88a38...@msnews.microsoft.com...

[Meinolf Weber [MVP-DS]]

Hello Zachary,

So you checked all DCs and servers, Exchange, ERP and SYTEUTIL as listed
in the event viewer entries?

Also listed "0xc000006a" is bad password.

[Zachary]

I found this error. When i look at PID 4968 it is mad.exe which points to
the MSExchangeSA service. I looked in the services MMC and that service is
set to log on as Local System. Why would it be trying to use the domain
admin account?

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/26/2009
Time: 11:02:01 AM
User: NT AUTHORITY\SYSTEM
Computer: EXCHANGE
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: DOMAIN
Logon Type: 7
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: EXCHANGE
Caller User Name: EXCHANGE$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4968
Transited Services: -
Source Network Address: -
Source Port: -

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message

news:6cb2911d88a98...@msnews.microsoft.com...

[Zachary]

Cross posting this to an exchange group.

"Zachary" <zdun...@agraind.com> wrote in message
news:ecI44ZlV...@TK2MSFTNGP04.phx.gbl...

[Zachary]

Additional references i have found. These describe my situation also but
they have no solution.
http://www.eggheadcafe.com/software/aspnet/33326223/msexchangesa-locking-doma.aspx
http://antionline.com/archive/index.php/t-272867.html

"Zachary" <zdun...@agraind.com> wrote in message

news:eJ$1QqlVK...@TK2MSFTNGP02.phx.gbl...

[Zachary]

Found one of the culprits. The Exchange service account for legacy access
was set to the domain admin. This is found in the system
manager>Administrative Groups and then right click your administrative group
and on the general tab you will see this setting. I am still recieving this
error yet from the exchange server: Any ideas?

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/26/2009

Time: 12:11:34 PM
User: NT AUTHORITY\SYSTEM
Computer: AGRAEXCH

Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator

Domain: AGRA
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: AGRAEXCH
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -

Transited Services: -
Source Network Address: -
Source Port: -

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

"Zachary" <zdun...@agraind.com> wrote in message
news:OHVPB2lV...@TK2MSFTNGP02.phx.gbl...

[Zachary]

Here is a status update. My exchange server is still throwing this error
and every time it does it coralates to the next error that show up on our
main DC.
-----------------------------------------------------

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/26/2009

Time: 3:36:37 PM

User: NT AUTHORITY\SYSTEM
Computer: AGRAEXCH
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: AGRA
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: AGRAEXCH
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -

----------------------------------------------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing

Date: 10/26/2009 3:36:37 PM

Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A

Computer: AGRADC2.agraind.com

Description:
The domain controller attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator

Source Workstation: AGRAEXCH
Error Code: 0xc000006a
---------------------------------------------------

Then the Syteutil server issues this error every 10 minutes and PID 4704 is
w3wp.exe. This error coralates to the second error from our DC.
---------------------------------------------------

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/26/2009

Time: 3:40:07 PM
User: NT AUTHORITY\SYSTEM
Computer: SYTEUTIL

Description:
Logon Failure:
Reason: Unknown user name or bad password

User Name: administrator
Domain: agra
Logon Type: 3

Logon Process: Advapi
Authentication Package: Negotiate

Workstation Name: SYTEUTIL
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 4704

Transited Services: -
Source Network Address: -
Source Port: -

----------------------------------------------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing

Date: 10/26/2009 3:40:07 PM

Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A

Computer: AGRADC2.agraind.com

Description:
The domain controller attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: administrator
Source Workstation: SYTEUTIL
Error Code: 0xc000006a
----------------------------------------------------

Then there is this error every 5 minutes, the ip listed is our second DC

----------------------------------------------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing

Date: 10/26/2009 3:32:21 PM

Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A

Computer: AGRADC2.agraind.com
Description:
Kerberos pre-authentication failed.

Account Information:
Security ID: AGRA\Administrator
Account Name: Administrator

Service Information:
Service Name: krbtgt/AGRA

Network Information:
Client Address: ::ffff:10.0.1.254

Client Port: 2010

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for
pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in
RFC 4120.

If the ticket was malformed or damaged during transit and could not be
decrypted, then many fields in this event might not be present.
---------------------------------------------------

Then there is this one that happens every 10 mins, the ip listed is our
third DC

---------------------------------------------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing

Date: 10/26/2009 3:30:06 PM

Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A

Computer: AGRADC2.agraind.com
Description:
Kerberos pre-authentication failed.

Account Information:
Security ID: AGRA\Administrator
Account Name: Administrator

Service Information:
Service Name: krbtgt/agra

Network Information:
Client Address: ::ffff:10.0.1.249

Client Port: 30051

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for
pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in
RFC 4120.

If the ticket was malformed or damaged during transit and could not be
decrypted, then many fields in this event might not be present.
---------------------------------------------------

Then there are two of these ever 10 minutes on our Main DC

---------------------------------------------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing

Date: 10/26/2009 3:38:15 PM

Event ID: 4769
Task Category: Kerberos Service Ticket Operations
Level: Information
Keywords: Audit Failure
User: N/A

Computer: AGRADC2.agraind.com

Description:
A Kerberos service ticket was requested.

Account Information:
Account Name: AGRADC2$@AGRAIND.COM
Account Domain: AGRAIND.COM
Logon GUID: {00000000-0000-0000-0000-000000000000}

Service Information:
Service Name: krbtgt/AGRAIND.COM
Service ID: NULL SID

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x60810010
Ticket Encryption Type: 0xffffffff
Failure Code: 0xe
Transited Services: -

This event is generated every time access is requested to a resource such as
a computer or a Windows service. The service name indicates the resource to
which access was requested.

This event can be correlated with Windows logon events by comparing the
Logon GUID fields in each event. The logon event occurs on the machine that
was accessed, which is often a different machine than the domain controller
which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

---------------------------------------------------

Are all of these related to the two member servers having problems or is
this somthing deeper.

"Zachary" <zdun...@agraind.com> wrote in message

news:uLJxJAm...@TK2MSFTNGP02.phx.gbl...

[Meinolf Weber [MVP-DS]]

Hello Zachary,

Sorry for being late.

According to the ip addresses listed you use IPv6 and IPv4 together on some
machines?

Are the time settings/time zones the same on all machines?

Are any of the machines restored after a crash?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>>>>>>>> ault-d omain-administrator-account-is-locked_21003F00_.aspx

[Zachary]

According to the IP addresses listed you use IPv6 and IPv4 together on some
machines?

Explain to me where you see that please. On the only windows 2008 server we
have IPv6 is disabled on the NIC. All other servers are either windows
server 2000 or 2003 and aren't capable of IPv6.

Are the time settings/time zones the same on all machines?

Yes and all server are configured to sync to the PDC via NTP.

Are any of the machines restored after a crash?

No. None of the machines have been restored from a crash.

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message

news:6cb2911d8c5b8...@msnews.microsoft.com...

[Meinolf Weber [MVP-DS]]

Hello Zachary,

Here is the 'client address' listed with both if i am not wrong:
-------------------------------------

Computer: AGRADC2.agraind.com
Description:
Kerberos pre-authentication failed.

Account Information:
Security ID: AGRA\Administrator
Account Name: Administrator

Service Information:
Service Name: krbtgt/AGRA

Network Information:
Client Address: ::ffff:10.0.1.254

-------------------------------------

See for disabling IPv6:
http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx

Best regards

>>>>>>>>>> ef ault-d

[Zachary]

i have performed the steps on the link you provided. I already had one of
the three steps done. Does this need a reboot to take effect? If that is
the case, updates are scheduled to run tomorrow at 3 AM so that should force
a reboot. I will see if that clears this up then.

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message

news:6cb2911d8cd78...@msnews.microsoft.com...