Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

675 Kerberos errors on server w/ account lockout

Status
Not open for further replies.
Borvik

Borvik

Programmer
Jan 2, 2002
1,392
US
A user's account keeps getting locked out every couple of minutes, and I'm seeing 675 errors on the domain controller with the IP address of this user's computer - so I know where the failures are happening. This user's machine is running Windows 7.

I have not been able to identify what is causing it. I have unlocked the account and had the user change the password immediately (was able to change the password), but that didn't work (the thought was to have the user change it and sync it everywhere on their system so this problem wouldn't be happening).

I have enabled alockout.dll and restarted in an effort to identify what is causing this problem. The funny thing is - with alockout enabled - the problem isn't happening, so no log file is getting created.

Anyone have any ideas on what I can do further?

Thanks.
 
Sort by date Sort by votes
Can you make any use of this document, or any of the other links?

Windows Account Lockout Error Code (netlogon, event ID, Kerberos)


This talks about mismatch time between client and server.

Domain Account keeping locking out with correct password every few minutes


"To get rid of the 675 error, you can force the Windows Vista (or later version) computers to use the previous authentication method."

Kerberos issues

Try your luck in one of the Server Forums too.

 
Upvote 0 Downvote
Well I've see failure codes 0x12, 0x18, and 0x19 repeatedly. The user does not have any restrictions for logging in (time-wise, or limited to a specific computer). The date/time matches that of other computers on the domain so I doubt that is the issue.

I don't care that a 675 error exists in the case of Vista or 7 workstations attempting a new method and then reverting to an old authentication method - just as long as it doesn't lock out the user, and from my understanding this shouldn't happen.

Now alockout.dll is enabled, and the computer somewhere is still causing the account to be locked out - though the log file is not getting created.
 
Upvote 0 Downvote
have a gander:


Server Side:
Code: 
DONT_REQUIRE_PREAUTH - (Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logging on.

How to use the UserAccountControl flags to manipulate user account properties


also found this website helpful in that regard:

The error event 675 with 0X19 error code indicates:



Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
Thanks guys, I'm not sure what was going on - but I went through a few of the old passwords the user used and reset it to a couple. It stopped locking out the user now - obviously something on the users machine was still stuck on an old password - though I wouldn't have a clue as to what it was.
 
Upvote 0 Downvote
Borvik,
Does this user ever log onto a different machine on the network (& forgot to log off)? Map a drive (that didn't disconnect)? Click anything that says "save my password"? I have encountered all of the above causing the same symptoms you describe. Everything works fine till the password gets changed.

If you have active directory, you can use an add-on called "Additional Account Information" which provides more detail about logons. It is acctinfo.dll that you will need to register.

Kmills
 
Upvote 0 Downvote
I'm not to worried about it anymore as it is working - though if this comes up again in a couple of months I'll have to revisit this.

No the user doesn't use this username on another machine on the network. There are some mapped drives though those are set via a logon batch script. And as far as the last one - I'm not sure - it sounds like acctinfo.dll should help figure that - if this comes up again I'll look into that.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

VicM
  • Locked
  • Question
Change name not showing in user account 1
Replies
13
Views
663
guitarzan
guitarzan
spamjim
  • Locked
  • Question
Sanitizing illegal filenames on NTFS volumes
Replies
2
Views
383
spamjim
spamjim
goombawaho
  • Locked
  • Question
Risk of running unsupported server version 1
Replies
7
Views
372
goombawaho
goombawaho
pjw001
  • Locked
  • Question
Programs not loading on Windows 11 Version 22H2.
Replies
9
Views
727
pjw001
pjw001
Flinx
  • Locked
  • Question
the SAGA of trying to get a computer to sleep and wake up on a schedule
Replies
1
Views
1K
Flinx
Flinx

Part and Inventory Search

Sponsor

Back
Top