Kerberos To Blame for User Lockouts ?

[OregonSteve]

Greetings-

Single Site, Single Domain; 3 DCs; XP Pro sp2 workstations. A problem seems to be brewing. The frequency of users reporting lockouts has increased. Analysis of the Security Logs reveals many Failure Audit Entries like the one below. In some cases, there are 30 or 40 of these for a user in the span of a couple of minutes, even 4 or 5 recorded for the same hour/minute/second.

Users report losing network resources; checking their account shows it was locked out. Other users attempt to unlock their PCs after the screen saver comes on, to find they've been locked out. Our group policy allows for three invalid password attempts before locking a user out.

For many of these reports I can't find any indication of a direct bad password attempt, only these log entries:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 672
Date: 12/7/2005
Time: 4:41:12 PM
User: NT AUTHORITY\SYSTEM
Computer: DC2
Description:
Authentication Ticket Request:
User Name: smithn
Supplied Realm Name: Domain.LOCAL
User ID: -
Service Name: krbtgt/Domain.LOCAL
Service ID: -
Ticket Options: 0x40810010
Result Code: 0x12
Ticket Encryption Type: -
Pre-Authentication Type: -
Client Address: 10.35.24.207
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

We'd like to avoid total particle annhilation, if possible.

Thanx
OregonSteve

"..You should never, never doubt what nobody is sure about." -Willy Wonka

 

[porkchopexpress]

There are a number of MS tools to help troubleshoot account lockout take a look at the bottom of this link especially at LockoutStatus.exe.

http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html

 

[porkchopexpress]

Is your time service working correctly check that your clients are showing the same time as the DC's.

 

[porkchopexpress]

This can also happen if users leave themselves logged on at another station or terminal session with the console locked when their password expires or they change it at another station i've seen this a few times on my network.

Few things to think about there.

 

[OregonSteve]

Greetings-

Time Service is OK. NetDiag has not been used on these PCs but will be in the future. I'll investigate further and report back.


Thanx
OregonSteve

"..You should never, never doubt what nobody is sure about." -Willy Wonka

 

[xmsre]

0x12 - KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked

Associated internal Windows error codes

STATUS_ACCOUNT_DISABLED

STATUS_ACCOUNT_EXPIRED

STATUS_ACCOUNT_LOCKED_OUT

STATUS_ACCOUNT_DISABLED

STATUS_INVALID_LOGON_HOURS

STATUS_LOGIN_TIME_RESTRICTION

STATUS_LOGIN_WKSTA_RESTRICTION

STATUS_ACCOUNT_RESTRICTION

 

[OregonSteve]

Greetings-

In searching the Security Logs, I've come across something that might(?) be related. A user called to report his account locked out. Investigation revealed...

Three bad password attempts like this one after the other:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 12/8/2005
Time: 2:58:19 PM
User: NT AUTHORITY\SYSTEM
Computer: DC - 1
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: smithj
Source Workstation: PC0001
Error Code: 0xC000006A
**********************************************

Followed by an account lockout:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 12/8/2005
Time: 2:58:33 PM
User: NT AUTHORITY\SYSTEM
Computer: DC - 1
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: smithj
Source Workstation: PC0001
Error Code: 0xC0000234
**********************************

Followed by this same entry at the following times:

12/8/2005
3:29:08 PM
3:32:42 PM
4:37:18 PM
6:34:18 PM
8:27:18 PM
10:15:18 PM
11:50:19 PM

12/9/2005
1:26:19 AM
2:58:19 AM
4:56:19 AM
6:49:20 AM

I saw one entry and thought, "OK, maybe it was the cleaning crew", but when I saw all of these, I knew that was most improbable. I know there might be more than one issue going on here, but I thought that more info was better than not enough.


Thanx
OregonSteve

"..You should never, never doubt what nobody is sure about." -Willy Wonka

 

[porkchopexpress]

Have you virus scaned some of the client PC's there are various worms that can cause this sort of problem, also any apps that try to run as a service can as well.

 

[xmsre]

0xc000006a means bad password. 0xc0000234 means account locked out. A kerberos status 0x12 means the account is disabled/locked out. I would say that the root cause of the problem is a bad password. The source workstation is PC0001. I'd look there for saved passwords.

 

[porkchopexpress]

Absolutly the code is for a bad password and so many in a short space of time and for many different users indicates an automated process. As in say it's worth checking for apps that use network resources, and as xmsre says saved passwords.

 

[xmsre]

In the title of the thread, you're asking if kerberos is to blame? The answer is no; it's a symtom, not the cause.