Domain Account keeping locking out with correct password every few minutes

Asked 17/12, 2010 at 8:4 Answered 11/2, 2014 at 11:22

windows active-directory windows-server-2003

I have user whos account is keeping locking out every 30 minutes. Done all the checks, remove any cache passwords, created new profile, delete password from IE.

It locks out even when user is using his account (he is logged in )

After checking 20 servers I found that they is service running which causing his account to lock I think.

675,AUDIT FAILURE,Security,Thu Dec 16 07:54:04 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  userid     User ID:  %{id}     Service Name:  krbtgt/DOMAIN     Pre-Authentication Type: 0x2     Failure Code:  0x12     Client Address:  IP address

Does anyone know what is this.

krbtgt/DOMAIN     
Key Distribution Center Service Account

Can some please explain this to me why this is happening and how i can fix this.

675,AUDIT FAILURE,Security,Fri Dec 24 09:13:01 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  user_id    User ID:  %{id}     Service Name:  krbtgt/Domain     Pre-Authentication Type: 0x2     Failure Code:  0x12     Client Address:  172.16.5.1    
675,AUDIT FAILURE,Security,Fri Dec 24 08:49:06 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  user_id    User ID:  %{id}     Service Name:  krbtgt/Domain     Pre-Authentication Type: 0x2     Failure Code:  0x12     Client Address:  172.16.5.102    
644,AUDIT SUCCESS,Security,Fri Dec 24 08:49:06 2010,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: user_id    Target Account ID: %{id}     Caller Machine Name: UKNML3266     Caller User Name: LONDON$     Caller Domain: Domain     Caller Logon ID: (0x0,0x3E7)    
675,AUDIT FAILURE,Security,Fri Dec 24 08:49:06 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  user_id    User ID:  %{id}     Service Name:  krbtgt/Domain     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  172.16.5.102    
675,AUDIT FAILURE,Security,Fri Dec 24 08:49:06 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  user_id    User ID:  %{id}     Service Name:  krbtgt/Domain     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  172.16.5.102    
675,AUDIT FAILURE,Security,Fri Dec 24 08:46:28 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  user_id    User ID:  %{id}     Service Name:  krbtgt/Domain     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  172.16.5.8    
675,AUDIT FAILURE,Security,Fri Dec 24 08:46:28 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  user_id    User ID:  %{id}     Service Name:  krbtgt/Domain     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  172.16.5.8    
675,AUDIT FAILURE,Security,Fri Dec 24 08:46:28 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  user_id    User ID:  %{id}     Service Name:  krbtgt/Domain     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  172.16.5.8    
c:\sc0472\LONDON-Security_LOG.txt contains 8 parsed events.

Mariettamariette answered 17/12, 2010 at 8:4 Comment(0)

Try this solution from http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/e1ef04fa-6aea-47fe-9392-45929239bd68

Microsoft Support found the problem for us. Our domain accounts were locking when a Windows 7 computer was started. The Windows 7 computer had a hidden old password from that domain account. There are passwords that can be stored in the SYSTEM context that can't be seen in the normal Credential Manager view.

Download PsExec.exe from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it to C:\Windows\System32.

From a command prompt run: psexec -i -s -d cmd.exe

From the new DOS window run: rundll32 keymgr.dll,KRShowKeyMgr

Remove any items that appear in the list of Stored User Names and Passwords. Restart the computer.

Beatriz answered 20/4, 2012 at 11:25 Comment(7)

Why would you need to put it in C:\Windows\System32 ? – Nonfiction 12/10, 2012 at 15:3

You know, I posted a question about this in serverfault.com/q/493316/20532. No one could answer it there, so they closed my thread as off topic. This seems to have solved my problem. – Pearse 12/4, 2013 at 16:42

@Nonfiction So you don't have to write the full path to PsExec.exe. But there exist other approaches to achieve that behavior too, of course. – Amatory 7/11, 2013 at 14:33

You can shortcut the steps to just psexec -i -s rundll32 keymgr.dll,KRShowKeyMgr – Prevail 4/2, 2014 at 20:33

Answer worked for me. My problem was that whenever a certain computer on our network rebooted (before any users logged on) a certain user on our AD got his account locked out. When looking at the wireshark trace, we discovered it was kerberos preauthentication on that specific user that caused the problem. We still to this day don't know which service or application used the stale password, but when we cleared the entries from the key manager as the answer suggest, the problem went away. Thanks! – Witmer 29/12, 2015 at 14:54

I could not get the command to run as the correct user, as it was not the local admin account which was broken. Instead, I ran psexec rundll32 keymgr.dll,KRShowKeyMgr (without flags), and it showed the correct credentials. – Collative 14/10, 2016 at 13:30

The problem is I dont have administrative authority to copy and paste the file to Sytem32 and when I log in my account, the same problem occurs the account is locked out – Alard 5/12, 2016 at 10:38

I think this highlights a serious deficiency in Windows. We have a (techincal) user account that we use for our system consisting of a windows service and websites, with the app pools configured to run as this user.

Our company has a security policy that after 5 bad passwords, it locks the account out.

Now finding out what locks out the account is practically impossible in a enterprise. When the account is locked out, the AD server should log from what process and what server caused the lock out.

I've looked into it and it (lock out tools) and it doesnt do this. only possible thing is a tool but you have to run it on the server and wait to see if any process is doing it. But in a enterprise with 1000s of servers thats impossible, you have to guess. Its crazy.

Classmate answered 18/1, 2012 at 11:42 Comment(2)

This is old, but there's a solution to this comment: Your lockout policy should be set to a minimum of 50 bad login attempts. – Strafford 10/1, 2015 at 22:28

Try 5 lockout attempts if your organization is mildly security conscious, or needs to be PCI compliant. – Hannus 4/5, 2016 at 0:23

We just had a similar issue, looks like the user reset his password on Friday and over the weekend and on Monday he kept getting locked out.

Turned out to be he forgot to update his password on his mobile phone.

Dorthadorthea answered 2/4, 2012 at 4:52 Comment(0)

You need to make sure that the clocks on all your servers are correct. Kerberos errors are normally caused by your server clock being out of sync with your domain.

UPDATE

Failure code 0x12 very specifically means "Clients credentials have been revoked", which means that this error has happened once the account has been disabled, expired, or locked out.

It would be useful to try and find the previous error messages if you think that the account was active - i.e. this error message may not be the root cause, you will have different errors preceding this error, which cause the account to get locked.

Ideally, to get a full answer, you will need to reactivate the account and keep an eye on the logs for an error occurring before the 0x12 error messages.

Docia answered 17/12, 2010 at 8:34 Comment(6)

What cause the account lock. few users account keeping locking even when they are logged in successfully. – Mariettamariette 17/12, 2010 at 8:46

The local machine time is not the same as the domain - it is called a KERBEROS security check. Essentially, if you think it is 5pm on your local machine and the domain server thinks it is 5.05pm - it will kick you off as a security constraint. – Docia 17/12, 2010 at 15:15

I have checked time on local pc and the domian which pc connect to they same. – Mariettamariette 19/12, 2010 at 11:29

Is they anything else which cause this to happen – Mariettamariette 19/12, 2010 at 11:30

Please see update to answer, which provides more information. – Docia 20/12, 2010 at 7:41

I will do that and update this site. Thank you for your help. – Mariettamariette 23/12, 2010 at 7:15

I have seen this problem when the user had set up a scheduled task to run under his account. He forgot to update the password on the task after he changed his account password. The scheduled task was trying to logon with the old password and kept locking out his account.

Marchese answered 20/12, 2010 at 14:47 Comment(2)

it locks out different time each day for e.g. one day in the morning and other day after noon or mid day. – Mariettamariette 21/12, 2010 at 21:26

Sometimes nothing happens for few days but then it just start locking it self even when user logged in successfully. – Mariettamariette 21/12, 2010 at 21:27

May be the virus by name CONFLICKER try d.exe tool from symantec on the machine hope your problem will be resolved. Check the security logs in domain controller and scan those machines because of this virus it creates bad passwords and lock the users.

Ochlocracy answered 2/3, 2013 at 7:55 Comment(0)

Download Microsoft Account Lockout Tools. Use LockoutStatus to find the last DC that didn't pre-authenticate the user that is having issues. Note date and time. Log into that DC, find that timeframe and check Client Address. Logoff from those servers.

Eatmon answered 12/6, 2013 at 14:14 Comment(0)

Finally i found my problem. SQL Reporting Service was causing my account lockout. Stop and try, after confirm no more passwords bad attempts i should reconfigure reporting services service account ---Not at Service Properties, it is in Reporting Service own config--.

Kare answered 11/2, 2014 at 11:22 Comment(1)

BTW, in order to identify which service was causing the lockout i try Current Ports --from NirSoft-- and I finally see which service was pointing to my DC (before identified with Account Lockout Tools) to port 389 (LDAP) ---It was not easy to identify because the service was running with network service credentials--- – Kare 11/2, 2014 at 11:27

-1

If your computer is on a domain, you can see Windows Password Rescuer Advanced, http://www.daossoft.com/documents/how-to-reset-windows-domian-account-password.html

Demars answered 28/10, 2011 at 2:42 Comment(1)

Without any additional context this response reads like an advertisement for paid software. IF you are not affiliated with the software vendor and IF you have first-hand experience with this application, I recommend updating the answer to include your experience and why you recommend it. In particular I recommend explaining how this paid application is any more useful than existing event logs, which most 3rd party account tools rely on anyway, or how it differs from free first-party tools from Microsoft. – Elul 17/6, 2021 at 23:47

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags