Lockout accounts

---

• From: pjverweij <pjverweij@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 2 Dec 2008 02:38:01 -0800

---

Post also in Active directory, but placed here on advise of Meinolf Weber

Hello,

My first post so lets see want i can learn.

Situation:
- WBT workstations
- 5 Citrix servers
- 1 File server also domaincontroller(VirtualMachine)
- 1 mailserver also an domaincontroller(VirtualMachine)

Accounts get lockout with the event on the fileserver: 675
This event shows the ip address of the citrix server where the user is
logged on to.

The Citrix server gives 529, shows its logon process and is in this case
7064 and that relates to WINLOGON.

I have googled a lot but i can't find the solution to these lockouts.
I have the Microsoft lockout tools and used eventcombMT/alockout and run
dcdiag. Also programs like kerbtray and MPS Reporting Tool for Directory
Services & Security Support, but no luck for me.Also run a network monitor
from Microsoft.

Users do not even know why/when they are locked because it happens even when
they are not behind the computer.
These events only come up in worktime.

Can anybody help me try to solve this issue?

This week i will activate kerberos and netlogon logging



-------------------------------------------------------------------
Event ID's and there information:

FILESERVER:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 1-12-2008
Time: 12:04:32
User: NT AUTHORITY\SYSTEM
Computer: Fileserver-FS01
Description:
Pre-authentication failed:
User Name: kf
User ID: domain1\kf
Service Name: krbtgt/domain1
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 172.168.207.52


CITRIXSERVER, Dutch version of windows 2003, translated a bit:

Type gebeurtenis: Failed
Bron van gebeurtenis: Security
Categorie van gebeurtenis: logon/logoff
Event-id 529
Date: 1-12-2008
Time: 12:04:32
User: NT AUTHORITY\SYSTEM
Computer: citrixserver-CTX03
Description:
Aanmeldingsfout:
Cause: unknown username or password username: kf
Domein: Domain1
logontype: 7 ==> Unlock type
logonproces: User32
Verificatiepakket: Negotiate
Name workstation: Citrixserver-CTX03
username caller: Citrixserver-CTX03$
Domein callerr: Domain1
Aanmeldings-id aanroeper: (0x0,0x3E7)
Proces-id caller: 7040 ==> This is WINLOGON Doorgezette services: -
Networkaddress source: 172.168.207.75 address of terminal WBT client
Poort van source: 1039


================================================

Correspondation:

Hello pjverweij,

Are all machine domain members? Are the domain controllers all VM's?

Best regards

Meinolf Weber

=======

Yes all server computers are in the same domain, we only have 1 domain, WBT
stations login as a citrix client and go futher to work on one of the servers.
It's also true that all domain controllers are virtual server VMware machines.
The fileserver is the PDC.
The citrix servers are not virtual, these are racket servers.

I will have a look at terminal clients , but logging on can always be
done(Wyse clients) and they show up in the citrix and Active directory
enviroment.
I also have looked at stored credentials at the citrix server: Stored
password and user information but this is not for clients.

======

--------------------------------------------------------------------------------

The WBT terminals are getting an ip address from the file server, from there
the ica client will connect the citrix farm. The farm will look at the server
who are available so the user can logon to one who has the most rescources
left.

The WBT stations are not in the domain they just getting a ip address with
from the dhcp server. The citrix servers where they logon to are in the
domain.

=======================================

Hello pjverweij,

I would suggest you post this also to:
microsoft.public.windows.terminal_services

Best regards

Meinolf Weber
.

---

• Follow-Ups:
  • Re: Lockout accounts
    • From: Vera Noest [MVP]

• Prev by Date: Re: Issuing licences from another server
• Next by Date: Re: print queue
• Previous by thread: RDP For Mac
• Next by thread: Re: Lockout accounts
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Vorteile von Citrix ... > Server Terminalservices? ... ist es hier ein Beratungsgespräch mit einem Citrix Partner zu suchen. ... Zenrale Administration über alle Terminalserver ... Handsfree Client, (Verteilung des Clients einzelnde Prameterisierung, ... (microsoft.public.de.german.windows.terminaldienste) Citrix Metaframe Presentation Server bypassing policies ... Vulnerability in Presentation Server allow to user bypass citrix policy ... Citrix Presentation Server policy is used for admins to restrict the user ... IP client, servers, Users, o Client Name. ... (Pen-Test) Re: Lockout accounts ... I don't think that this has anything to do with TS or Citrix, ... MCSE, CCEA, Microsoft MVP - Terminal Server ... WBT workstations ... Client Address: 172.168.207.52 ... (microsoft.public.windows.terminal_services) Re: Vorteile von Citrix ... >> Server Terminalservices? ... > ist es hier ein Beratungsgespräch mit einem Citrix Partner zu suchen. ... > Zenrale Administration über alle Terminalserver ... > Handsfree Client, (Verteilung des Clients einzelnde Prameterisierung, ... (microsoft.public.de.german.windows.terminaldienste) Re: Cant Mount Mailbox Store or Publick Folder Store ... My citrix is working now using ICA Client but after I tried to restart my Mail Server. ... "Mukesh" wrote: ... Either there are network problems or the Microsoft Exchange Server computer is down for maintenance. ... (microsoft.public.exchange.admin)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.terminal_services  > 2008-12