Re: account being locked out shortly after login Events 675, 529, 539

Jody wrote:
Well, I have not figured it out yet, but I have narrowed it. The
client machine has a local instance of SQL Server 2005 installed for
testing purposes. I turned off all services related to it and the
problem stopped. I guess now all I have to do is turn one on at time
until I find the culprit. The confusing thing is that none of those
services were running under the client user account. I don't know
why any of them would be sending login request under the client user
account.


Check the DSN (ODBC) configurations on the afflicted workstation that may be
using a domain account ( and old password ).



"Jody" wrote:

Hello.

After shortly logging into the domain with a particular domain user
account, it begins to generate a flood of event 675 errors on the
SBS 2003 server and 529 and 539 on the client machine (Windows XP).
Eventually the account threshold is passed and the account will
lockout. This happened right after I changed the password for the
account. According to the logs the bad username/password is coming
from the client machine. I checked all the services on the client
machine and none of them are configured to run under that user
account. I even changed the password back to the original and the
problem continued.

Below are the log errors that I am receiving:

On Domain Controller:

Event 675

Pre-authentication failed:
User Name: xxxx
User ID: xxxxxxx\xxxxx
Service Name: krbtgt/xxxxx
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: xxx.xxx.xxx.xx


On local machine events:

Event 529

Logon Failure:
Reason: Unknown user name or bad password
User Name: XXXX
Domain: XXXXX
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: XXXXXXXXXX

Event 539

Logon Failure:
Reason: Account locked out
User Name: XXXX
Domain: XXXXX
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: XXXXXXXXXX

Thank you,

--
/kj


.

Relevant Pages

  • RE: Event ID 529 on cleint workstation
    ... Security Event ID 529 is a failure audit for logon/logoff. ... "logon events" generate the events on domain controllers for domain account ... The Event 529 was caused by the machine account password not being ... I suggest that you re-join the client to ...
    (microsoft.public.windows.server.sbs)
  • Re: Event ID 529 on cleint workstation
    ... "logon events" generate the events on domain controllers for domain account ... The Event 529 was caused by the machine account password not being ... I suggest that you re-join the client to ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • RE: How to enable IWA over multiple servers
    ... Boot up computer and logon as ActiveDirectory username (im joe ... a member of 192.168.0.4 (the web server), ... client domain identity correctly when the ASP.NET app is hosted on ... through a local account on the webserver rather than a domain user ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Slow domain logon (with detail try out)
    ... "The speed of the logon is directly related the size of the profile and the ... rather than copying the profile from the server. ... Uninstall "Client for Microsoft Network", restart, install it again ... Boot the client machine and logon (TCP/IP configured to get IP from ...
    (microsoft.public.windows.server.general)
  • Slow domain logon (with detail try out)
    ... it takes 2 minutes to logon (after a lot of software ... Uninstall "Client for Microsoft Network", restart, install it again ... Server ... Boot the client machine and logon (TCP/IP configured to get IP from ...
    (microsoft.public.windows.server.general)