Re: Admin Account locked out every hour.
- From: Serventek <Serventek@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 21 Feb 2006 07:40:32 -0800
Around the same time that the authentication failure occurs I get the
following error, the PID on this error points to tcpsvcs.exe on DC1
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 552
Date: 2/21/2006
Time: 9:05:32 AM
User: NT AUTHORITY\SYSTEM
Computer: NHQ-DC1
Description:
Logon attempt using explicit credentials:
Logged on user:
User Name: DC1$
Domain: CompanyName
Logon ID: (0x0,0x3E7)
Logon GUID: -
User whose credentials were used:
Target User Name: administrator
Target Domain: CompanyName
Target Logon GUID: -
Target Server Name: dc2.CompanyName.com
Target Server Info: dc2.CompanyName.com
Caller Process ID: 2968
Source Network Address: -
Source Port: -
--
Thanks -LRG
"<<JP<<" wrote:
Services for sure? Also scheduled tasks?.
"Serventek" <Serventek@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:730335D1-8D9B-4197-A469-C2C6DF7E1C82@xxxxxxxxxxxxxxxx
We changed the administrator account's password and since then we have
been
seeing it locked out every hour. I have the lockout tools from microsoft.
The lockout originates from the domain controller DC1. Every hour I get
this
error in the event log of DC1.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 2/17/2006
Time: 5:00:14 PM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Pre-authentication failed:
User Name: Administrator
User ID: companyname\Administrator
Service Name: krbtgt/companyname
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1
I have triple checked the services and all processes running on the
server.
None seem to using the Administrator account. Eventcomb shows the
following
errors every hour:
675,AUDIT FAILURE,Security,Mon Feb 17 17:00:12 2006,NT
AUTHORITY\SYSTEM,Pre-authentication failed: User Name: Administrator
User ID: %{S-1-5-21-1118139714-1942908946-495535119-5467} Service
Name:
krbtgt/companyname Pre-Authentication Type: 0x2 Failure Code: 0x18
Client Address: 127.0.0.1
I turned on Netlogon logging which logs the following every hour:
02/17 17:00:52 [LOGON] companyname: SamLogon: Network logon of
companyname\administrator from DC1 Entered
02/17 17:00:52 [LOGON] companyname: SamLogon: Network logon of
companyname\administrator from DC1 Returns 0xC0000234
Kerberos logs the following at around the time:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 2/17/2006
Time: 5:00:16 PM
User: N/A
Computer: DC1
Description:
A Kerberos Error Message was received:
on logon session companyname.COM\dc1$
Client Time:
Server Time: 1:3:42.0000 2/20/2006 Z
Error Code: 0x18 KDC_ERR_PREAUTH_FAILED
Extended Error:
Client Realm:
Client Name:
Server Realm: companyname
Server Name: krbtgt/companyname
Target Name: krbtgt/companyname@companyname
Error Text:
File: e
Line: 6bc
Error Data is in record data.
I find it interesting that the account lockout events above occur every
hour
all day and that the source address is 127.0.0.1, which means that the
source
is itself (domain controller, DC1). I have checked schedule jobs in the
controll panel and through the AT command as well. Nothing is schedule via
these.
Thanks -LRG
- References:
- Admin Account locked out every hour.
- From: Serventek
- Re: Admin Account locked out every hour.
- From: <<JP<<
- Admin Account locked out every hour.
- Prev by Date: testing all replication
- Next by Date: Re: Using SecureSocketsLayer rather than None
- Previous by thread: Re: Admin Account locked out every hour.
- Next by thread: Re: Admin Account locked out every hour.
- Index(es):
Relevant Pages
|
