I have user whos account is keeping locking out every 30 minutes. Done all the checks, remove any cache passwords, created new profile, delete password from IE.
It locks out even when user is using his account (he is logged in )
After checking 20 servers I found that they is service running which causing his account to lock I think.
675,AUDIT FAILURE,Security,Thu Dec 16 07:54:04 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: userid User ID: %{id} Service Name: krbtgt/DOMAIN Pre-Authentication Type: 0x2 Failure Code: 0x12 Client Address: IP address
Does anyone know what is this.
krbtgt/DOMAIN
Key Distribution Center Service Account
Can some please explain this to me why this is happening and how i can fix this.
675,AUDIT FAILURE,Security,Fri Dec 24 09:13:01 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: user_id User ID: %{id} Service Name: krbtgt/Domain Pre-Authentication Type: 0x2 Failure Code: 0x12 Client Address: 172.16.5.1
675,AUDIT FAILURE,Security,Fri Dec 24 08:49:06 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: user_id User ID: %{id} Service Name: krbtgt/Domain Pre-Authentication Type: 0x2 Failure Code: 0x12 Client Address: 172.16.5.102
644,AUDIT SUCCESS,Security,Fri Dec 24 08:49:06 2010,NT AUTHORITY\SYSTEM,User Account Locked Out: Target Account Name: user_id Target Account ID: %{id} Caller Machine Name: UKNML3266 Caller User Name: LONDON$ Caller Domain: Domain Caller Logon ID: (0x0,0x3E7)
675,AUDIT FAILURE,Security,Fri Dec 24 08:49:06 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: user_id User ID: %{id} Service Name: krbtgt/Domain Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 172.16.5.102
675,AUDIT FAILURE,Security,Fri Dec 24 08:49:06 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: user_id User ID: %{id} Service Name: krbtgt/Domain Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 172.16.5.102
675,AUDIT FAILURE,Security,Fri Dec 24 08:46:28 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: user_id User ID: %{id} Service Name: krbtgt/Domain Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 172.16.5.8
675,AUDIT FAILURE,Security,Fri Dec 24 08:46:28 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: user_id User ID: %{id} Service Name: krbtgt/Domain Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 172.16.5.8
675,AUDIT FAILURE,Security,Fri Dec 24 08:46:28 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: user_id User ID: %{id} Service Name: krbtgt/Domain Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 172.16.5.8
c:\sc0472\LONDON-Security_LOG.txt contains 8 parsed events.
This question is related to
windows
active-directory
windows-server-2003
You need to make sure that the clocks on all your servers are correct. Kerberos errors are normally caused by your server clock being out of sync with your domain.
UPDATE
Failure code 0x12 very specifically means "Clients credentials have been revoked", which means that this error has happened once the account has been disabled, expired, or locked out.
It would be useful to try and find the previous error messages if you think that the account was active - i.e. this error message may not be the root cause, you will have different errors preceding this error, which cause the account to get locked.
Ideally, to get a full answer, you will need to reactivate the account and keep an eye on the logs for an error occurring before the 0x12 error messages.
Try this solution from http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/e1ef04fa-6aea-47fe-9392-45929239bd68
Microsoft Support found the problem for us. Our domain accounts were locking when a Windows 7 computer was started. The Windows 7 computer had a hidden old password from that domain account. There are passwords that can be stored in the SYSTEM context that can't be seen in the normal Credential Manager view.
Download
PsExec.exefrom http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it toC:\Windows\System32.From a command prompt run:
psexec -i -s -d cmd.exeFrom the new DOS window run:
rundll32 keymgr.dll,KRShowKeyMgrRemove any items that appear in the list of Stored User Names and Passwords. Restart the computer.
I think this highlights a serious deficiency in Windows. We have a (techincal) user account that we use for our system consisting of a windows service and websites, with the app pools configured to run as this user.
Our company has a security policy that after 5 bad passwords, it locks the account out.
Now finding out what locks out the account is practically impossible in a enterprise. When the account is locked out, the AD server should log from what process and what server caused the lock out.
I've looked into it and it (lock out tools) and it doesnt do this. only possible thing is a tool but you have to run it on the server and wait to see if any process is doing it. But in a enterprise with 1000s of servers thats impossible, you have to guess. Its crazy.
Finally i found my problem. SQL Reporting Service was causing my account lockout. Stop and try, after confirm no more passwords bad attempts i should reconfigure reporting services service account ---Not at Service Properties, it is in Reporting Service own config--.
May be the virus by name CONFLICKER try d.exe tool from symantec on the machine hope your problem will be resolved. Check the security logs in domain controller and scan those machines because of this virus it creates bad passwords and lock the users.
I have seen this problem when the user had set up a scheduled task to run under his account. He forgot to update the password on the task after he changed his account password. The scheduled task was trying to logon with the old password and kept locking out his account.
Download Microsoft Account Lockout Tools.
Use LockoutStatus to find the last DC that didn't pre-authenticate the user that is having issues. Note date and time.
Log into that DC, find that timeframe and check Client Address.
Logoff from those servers.
We just had a similar issue, looks like the user reset his password on Friday and over the weekend and on Monday he kept getting locked out.
Turned out to be he forgot to update his password on his mobile phone.
If your computer is on a domain, you can see Windows Password Rescuer Advanced, http://www.daossoft.com/documents/how-to-reset-windows-domian-account-password.html
Source: Stackoverflow.com