Re: Admin Account locked out every hour.
- From: Serventek <Serventek@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 21 Feb 2006 07:26:29 -0800
Yes I checked all the services and scheduled tasks. The admin account was
being used for services and scheduled tasks throughout the company but that
has all been identified and corrected. What is left is this one issue
occuring every hour.
--
Thanks -LRG
"<<JP<<" wrote:
Services for sure? Also scheduled tasks?.
"Serventek" <Serventek@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:730335D1-8D9B-4197-A469-C2C6DF7E1C82@xxxxxxxxxxxxxxxx
We changed the administrator account's password and since then we have
been
seeing it locked out every hour. I have the lockout tools from microsoft.
The lockout originates from the domain controller DC1. Every hour I get
this
error in the event log of DC1.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 2/17/2006
Time: 5:00:14 PM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Pre-authentication failed:
User Name: Administrator
User ID: companyname\Administrator
Service Name: krbtgt/companyname
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1
I have triple checked the services and all processes running on the
server.
None seem to using the Administrator account. Eventcomb shows the
following
errors every hour:
675,AUDIT FAILURE,Security,Mon Feb 17 17:00:12 2006,NT
AUTHORITY\SYSTEM,Pre-authentication failed: User Name: Administrator
User ID: %{S-1-5-21-1118139714-1942908946-495535119-5467} Service
Name:
krbtgt/companyname Pre-Authentication Type: 0x2 Failure Code: 0x18
Client Address: 127.0.0.1
I turned on Netlogon logging which logs the following every hour:
02/17 17:00:52 [LOGON] companyname: SamLogon: Network logon of
companyname\administrator from DC1 Entered
02/17 17:00:52 [LOGON] companyname: SamLogon: Network logon of
companyname\administrator from DC1 Returns 0xC0000234
Kerberos logs the following at around the time:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 2/17/2006
Time: 5:00:16 PM
User: N/A
Computer: DC1
Description:
A Kerberos Error Message was received:
on logon session companyname.COM\dc1$
Client Time:
Server Time: 1:3:42.0000 2/20/2006 Z
Error Code: 0x18 KDC_ERR_PREAUTH_FAILED
Extended Error:
Client Realm:
Client Name:
Server Realm: companyname
Server Name: krbtgt/companyname
Target Name: krbtgt/companyname@companyname
Error Text:
File: e
Line: 6bc
Error Data is in record data.
I find it interesting that the account lockout events above occur every
hour
all day and that the source address is 127.0.0.1, which means that the
source
is itself (domain controller, DC1). I have checked schedule jobs in the
controll panel and through the AT command as well. Nothing is schedule via
these.
Thanks -LRG
- References:
- Admin Account locked out every hour.
- From: Serventek
- Re: Admin Account locked out every hour.
- From: <<JP<<
- Admin Account locked out every hour.
- Prev by Date: Re: Recommended practises for password policies?
- Next by Date: Re: understanding certificate autoenrollment
- Previous by thread: Re: Admin Account locked out every hour.
- Next by thread: Re: Admin Account locked out every hour.
- Index(es):
Relevant Pages
|
