Re: Lockout accounts

I don't think that this has anything to do with TS or Citrix, since
the users can create a session on the Citrix servers, if I
understand you correctly.
Unexplained account lockouts are often caused by a persistent
mapping to a network share in the users profile. Once the user
changes password, the persistent drive mapping fails.
Have you tried to delete one of these users' profile on the Citrix
servers? Does that solve it?
Or use a logon script to get rid of all persistens drive mappings.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?cGp2ZXJ3ZWlq?= <pjverweij@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 02 dec 2008 in
microsoft.public.windows.terminal_services:

Post also in Active directory, but placed here on advise of
Meinolf Weber

Hello,

My first post so lets see want i can learn.

Situation:
- WBT workstations
- 5 Citrix servers
- 1 File server also domaincontroller(VirtualMachine)
- 1 mailserver also an domaincontroller(VirtualMachine)

Accounts get lockout with the event on the fileserver: 675
This event shows the ip address of the citrix server where the
user is logged on to.

The Citrix server gives 529, shows its logon process and is in
this case 7064 and that relates to WINLOGON.

I have googled a lot but i can't find the solution to these
lockouts. I have the Microsoft lockout tools and used
eventcombMT/alockout and run dcdiag. Also programs like kerbtray
and MPS Reporting Tool for Directory Services & Security
Support, but no luck for me.Also run a network monitor from
Microsoft.

Users do not even know why/when they are locked because it
happens even when they are not behind the computer.
These events only come up in worktime.

Can anybody help me try to solve this issue?

This week i will activate kerberos and netlogon logging



-----------------------------------------------------------------
-- Event ID's and there information:

FILESERVER:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 1-12-2008
Time: 12:04:32
User: NT AUTHORITY\SYSTEM
Computer: Fileserver-FS01
Description:
Pre-authentication failed:
User Name: kf
User ID: domain1\kf
Service Name: krbtgt/domain1
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 172.168.207.52


CITRIXSERVER, Dutch version of windows 2003, translated a bit:

Type gebeurtenis: Failed
Bron van gebeurtenis: Security
Categorie van gebeurtenis: logon/logoff
Event-id 529
Date: 1-12-2008
Time: 12:04:32
User: NT AUTHORITY\SYSTEM
Computer: citrixserver-CTX03
Description:
Aanmeldingsfout:
Cause: unknown username or password username: kf
Domein: Domain1
logontype: 7 ==> Unlock type
logonproces: User32
Verificatiepakket: Negotiate
Name workstation: Citrixserver-CTX03
username caller: Citrixserver-CTX03$
Domein callerr: Domain1
Aanmeldings-id aanroeper: (0x0,0x3E7)
Proces-id caller: 7040 ==> This is WINLOGON Doorgezette
services: - Networkaddress source: 172.168.207.75 address of
terminal WBT client Poort van source: 1039


================================================

Correspondation:

Hello pjverweij,

Are all machine domain members? Are the domain controllers all
VM's?

Best regards

Meinolf Weber

=======

Yes all server computers are in the same domain, we only have 1
domain, WBT stations login as a citrix client and go futher to
work on one of the servers. It's also true that all domain
controllers are virtual server VMware machines. The fileserver
is the PDC. The citrix servers are not virtual, these are racket
servers.

I will have a look at terminal clients , but logging on can
always be done(Wyse clients) and they show up in the citrix and
Active directory enviroment.
I also have looked at stored credentials at the citrix server:
Stored password and user information but this is not for
clients.

======

-----------------------------------------------------------------
---------------

The WBT terminals are getting an ip address from the file
server, from there the ica client will connect the citrix farm.
The farm will look at the server who are available so the user
can logon to one who has the most rescources left.

The WBT stations are not in the domain they just getting a ip
address with from the dhcp server. The citrix servers where they
logon to are in the domain.

=======================================

Hello pjverweij,

I would suggest you post this also to:
microsoft.public.windows.terminal_services

Best regards

Meinolf Weber
.

Relevant Pages

  • Re: Vorteile von Citrix
    ... > Server Terminalservices? ... ist es hier ein Beratungsgespräch mit einem Citrix Partner zu suchen. ... Zenrale Administration über alle Terminalserver ... Handsfree Client, (Verteilung des Clients einzelnde Prameterisierung, ...
    (microsoft.public.de.german.windows.terminaldienste)
  • Citrix Metaframe Presentation Server bypassing policies
    ... Vulnerability in Presentation Server allow to user bypass citrix policy ... Citrix Presentation Server policy is used for admins to restrict the user ... IP client, servers, Users, o Client Name. ...
    (Pen-Test)
  • Re: Vorteile von Citrix
    ... >> Server Terminalservices? ... > ist es hier ein Beratungsgespräch mit einem Citrix Partner zu suchen. ... > Zenrale Administration über alle Terminalserver ... > Handsfree Client, (Verteilung des Clients einzelnde Prameterisierung, ...
    (microsoft.public.de.german.windows.terminaldienste)
  • Lockout accounts
    ... This event shows the ip address of the citrix server where the user is ... 172.168.207.75 address of terminal WBT client ...
    (microsoft.public.windows.terminal_services)
  • Re: Cant Mount Mailbox Store or Publick Folder Store
    ... My citrix is working now using ICA Client but after I tried to restart my Mail Server. ... "Mukesh" wrote: ... Either there are network problems or the Microsoft Exchange Server computer is down for maintenance. ...
    (microsoft.public.exchange.admin)