Hello, We are starting to roll out Win7. We implemented 5 machines so far and 2 of them have a problem where the user's domain account is constantly getting locked (usually several times each day but at random intervals). The other 3 machines are Ok, but we see errors in the domain controller event log for those also. The event log entry is at the end of the post (I've redacted some items). Note that we've tried the following: Removing/re-adding to the domain, running Sysprep to generate a new SID, Disabling Java updater, removing all network drive and network printer mappings, turning off Kerberos pre-authenticaion for the user account in AD, and registry changes to including changing the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Any suggestions would be appreciated. Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 5/15/2012 Time: 3:05:16 PM User: NT AUTHORITY\SYSTEM Computer: (Domain Controler's hostname) Description: Pre-authentication failed: User Name: Redacted User ID: Domain\Redacted Service Name: krbtgt/OURDOMAIN.COM Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 172.16.18.133 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Hello , Thanks for posting! Usually account lockouts are caused by service accounts/mapped drives/scheduled tasks\disconnected sessions etc. Failure code 0x18 usually means bad password so talked to the users and ensure they dont use wrong password or Bad Password Threshold is not set too low. Look at this article to t/s further- Troubleshooting Account Lockout http://technet.microsoft.com/en-us/library/cc773155%28v=ws.10%29.aspx Sachin Gadhave MCP, MCSA, MCTS

Thanks for the reply. We have already looked at all of the scenarios in the "Common Causes for Account Lockouts" section, as I mentioned, we already looked at scheduled tasks, printer mappings, network drive mappings. The bad password threshold is set to 5, not that it is relevant in this case since it happens to EVERY account logged into the Windows 7 machine. This must be some sort of Active Directory bug or something. Any other suggestions?

Thanks for the reply. We have already looked at all of the scenarios in the "Common Causes for Account Lockouts" section, as I mentioned, we already looked at scheduled tasks, printer mappings, network drive mappings. The bad password threshold is set to 5, not that it is relevant in this case since it happens to EVERY account logged into the Windows 7 machine. This must be some sort of Active Directory bug or something. Any other suggestions?

Have you checked for Conficker virus, just in case- http://support.microsoft.com/kb/962007 See also http://support.microsoft.com/kb/109626 h Are these clean install Windows 7 machines? Have you installed any software which ties user credentials. Also disable group policies on these systems to check.Sachin Gadhave MCP, MCSA, MCTS

Have you checked for Conficker virus, just in case- http://support.microsoft.com/kb/962007 See also http://support.microsoft.com/kb/109626 h Are these clean install Windows 7 machines? Have you installed any software which ties user credentials. Also disable group policies on these systems to check.Sachin Gadhave MCP, MCSA, MCTS

Hi, Event ID 675 with failure code 0x18 shows Redacted account using incorrect password, the client address 172.16.18.133 identifies the network client that caused this failure. Please perform following steps to troubleshooting: 1.Check "logon Details" for all service, find the mwadmin account and update the password. 2.Check Schedule Tasks which run with mwadmin account 3.Restart Windows to Safe Mode or Clean Boot to check if any third party application is configured to use mwadmin account 4.Using Account Lockout and Management Tools to troubleshoot account lockouts and to change a user's password One more question, have you defined Kerberos Authentication related policy or have your modified Kerberos Authentication related registry before you get these errors? Please enable Kerberos event logging on issue computer: Start Registry Editor.Add the following registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters Registry Value: LogLevel Value Type: REG_DWORD Value Data: 0x1 If the Parameters subkey does not exist, create it. You can find any Kerberos-related events in the system log. Note Remove this registry value when it is no longer needed so that performance is not degraded on the computer. Also, you can remove this registry value to disable Kerberos event logging on a specific computer. For more information please refer to following MS articles: Kerberos Authentication Tools and Settings http://technet.microsoft.com/en-us/library/cc738673(v=WS.10).aspx How to enable Kerberos event logging http://support.microsoft.com/kb/262177 Maintaining and Monitoring Account Lockout http://technet.microsoft.com/en-us/library/cc776964(v=WS.10).aspx Maintaining and Monitoring Account Lockout Hope this helps!<o:p></o:p> TechNet Subscriber Support<o:p></o:p> If you areTechNet Subscription user and have any feedback on our support quality, please send your feedback here.<o:p></o:p> Lawrence TechNet Community Support

Hi, I would like to confirm what is the current situation? Have you resolved the problem? If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.Lawrence TechNet Community Support

Hi, I would like to confirm what is the current situation? Have you resolved the problem? If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.Lawrence TechNet Community Support

Hi Lawrence, Believe we have found the cause, but not a solution (though possible workarounds). We use hosted Exchange and the domain in the user ID matches the name of our internal AD domain. Apparently, Outlook is sending the credentials for hosted Exchange to the domain controller, and since the user ID's are the same as well (ie, domain\jsmith = jsmith@domain.com) the account gets locked. Apparently, we are not the only one: http://community.spiceworks.com/topic/151011-hosted-exchange-office-365-causing-domain-lockouts This is not an issue with XP, only on Win 7, as there have been some changes in the way Windows 7 authenticates against AD. So, my question is, is Microsoft working on a fix for this issue? On another forum post, someone mentioned that Microsoft was working on a hotfix. Any info would be helpful. Thanks...

Hi Lawrence, Believe we have found the cause, but not a solution (though possible workarounds). We use hosted Exchange and the domain in the user ID matches the name of our internal AD domain. Apparently, Outlook is sending the credentials for hosted Exchange to the domain controller, and since the user ID's are the same as well (ie, domain\jsmith = jsmith@domain.com) the account gets locked. Apparently, we are not the only one: http://community.spiceworks.com/topic/151011-hosted-exchange-office-365-causing-domain-lockouts This is not an issue with XP, only on Win 7, as there have been some changes in the way Windows 7 authenticates against AD. So, my question is, is Microsoft working on a fix for this issue? On another forum post, someone mentioned that Microsoft was working on a hotfix. Any info would be helpful. Thanks...

Do you use outylook anywhere on those computer to connect to the exchange ? The cached credential should be sent in NTLM to the server directly in that case without authentificating to your AD.MCP | MCTS 70-236: Exchange Server 2007, Configuring

Do you use outylook anywhere on those computer to connect to the exchange ? The cached credential should be sent in NTLM to the server directly in that case without authentificating to your AD.MCP | MCTS 70-236: Exchange Server 2007, Configuring

You hit the nail on the head - they SHOULD be. But apparently not. Yes we use outlook anywhere and have an autodiscover DNS record for the Exchange server in the cloud. Suggestions? Thanks...

You hit the nail on the head - they SHOULD be. But apparently not. Yes we use outlook anywhere and have an autodiscover DNS record for the Exchange server in the cloud. Suggestions? Thanks...

Well, my first idea would be to confirm to be honest. To be sure it use NTLM NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7 On your hoster, does basic authentification is there too? It could be your NTLM setting in Win7 that is to strict, so the client would fallback to basic auth. Changes in NTLM Authentication My last step would be to target a test computer, and wireshark all traffic gooing to your AD for auth, and be sure what process does really auth against your DC. (how to filter for Kerberos traffic) MCP | MCTS 70-236: Exchange Server 2007, Configuring

Well, my first idea would be to confirm to be honest. To be sure it use NTLM NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7 On your hoster, does basic authentification is there too? It could be your NTLM setting in Win7 that is to strict, so the client would fallback to basic auth. Changes in NTLM Authentication My last step would be to target a test computer, and wireshark all traffic gooing to your AD for auth, and be sure what process does really auth against your DC. (how to filter for Kerberos traffic) MCP | MCTS 70-236: Exchange Server 2007, Configuring

We looked at the Kerberos traffic, it is Outlook indeed casuing the issue. We are using the Windows 7 defaults (not blocking NTLM) except for the fact that we have a GPO set up that disables the use of LM Hash which is a different animal.

We looked at the Kerberos traffic, it is Outlook indeed casuing the issue. We are using the Windows 7 defaults (not blocking NTLM) except for the fact that we have a GPO set up that disables the use of LM Hash which is a different animal.

I would test without that GPO to be honest. From memory NTLM don't use any Kerberos call. (Or test with a older Outlook) (but it can use LM hash (http://support.microsoft.com/kb/820281 old kb, but it show that NTLM use LM hash some way) I did a program in the past that use libNTLM to send NTLM hash to a Exchange 2007/2010 and it's only a 3 phases negotiation on the SSL port, nothing Kerberos there... (link there to show) Outlook fallback to the basic auth scheme for a odd reason. MCP | MCTS 70-236: Exchange Server 2007, Configuring

Hi, I would like to confirm what is the current situation? Have you resolved the problem? If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help. Lawrence TechNet Community Support

Hi, I would like to confirm what is the current situation? Have you resolved the problem? If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help. Lawrence TechNet Community Support

Hello, The problem's not resolved, we tested with no GPO's being applied and still the same issue. Seems like there needs to be a patch to Outlook 2010 for this problem.

Hello, The problem's not resolved, we tested with no GPO's being applied and still the same issue. Seems like there needs to be a patch to Outlook 2010 for this problem.

Hi, Please check below registry entry in your Windows 7 PC. HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover "ExcludeScpLookup"=dword:1 "ExcludeSrvLookup"=dword:1 "ExcludeSrvRecord"=dword:1 Make sure these three entry exist, if not exist, create them. Check whether this change can fix your issue. If it can fix your issue, deploy the registry change through Group Policy refer to following article: Deploying Custom Registry Changes through Group Policy http://blogs.technet.com/b/askds/archive/2007/08/14/deploying-custom-registry-changes-through-group-policy.aspx For more information please refer to following MS articles: Autodiscover not working <//span>http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/d7239327-23d9-4c2a-a36d-adae493aac07 Step by step Manual BPOS --> Office 365 http://community.office365.com/en-us/f/147/p/7474/32719.aspx Hope this helps! TechNet Subscriber Support If you areTechNet Subscription user and have any feedback on our support quality, please send your feedback here.Lawrence TechNet Community Support

Hi, Please check below registry entry in your Windows 7 PC. HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover "ExcludeScpLookup"=dword:1 "ExcludeSrvLookup"=dword:1 "ExcludeSrvRecord"=dword:1 Make sure these three entry exist, if not exist, create them. Check whether this change can fix your issue. If it can fix your issue, deploy the registry change through Group Policy refer to following article: Deploying Custom Registry Changes through Group Policy http://blogs.technet.com/b/askds/archive/2007/08/14/deploying-custom-registry-changes-through-group-policy.aspx For more information please refer to following MS articles: Autodiscover not working <//span>http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/d7239327-23d9-4c2a-a36d-adae493aac07 Step by step Manual BPOS --> Office 365 http://community.office365.com/en-us/f/147/p/7474/32719.aspx Hope this helps! TechNet Subscriber Support If you areTechNet Subscription user and have any feedback on our support quality, please send your feedback here.Lawrence TechNet Community Support

Hi, As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as Answered as the previous steps should be helpful for many similar scenarios. If the issue still persists and you want to return to this question, please reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. In addition, we'd love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks! Lawrence TechNet Community Support

Hi, As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as Answered as the previous steps should be helpful for many similar scenarios. If the issue still persists and you want to return to this question, please reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. In addition, we'd love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks! Lawrence TechNet Community Support

Not resolved - according to the Microsoft support engineers, this is an Outlook issue and Microsoft is supposed to be issuing a hotfix for this problem by the end of the month.

Hi, Although this issue has not resolve, fortunately we have track down the source of the problem. Lets waiting for hotfix of this issue. And if you have any progress please update in this thread.Lawrence TechNet Community Support

Hi, Although this issue has not resolve, fortunately we have track down the source of the problem. Lets waiting for hotfix of this issue. And if you have any progress please update in this thread.Lawrence TechNet Community Support

@Lawerence Lv Can you tell us when the expected release date is of these hotfixes? If we open a support request, will they have something we can utilize before the official hotfix release for this issue?

I was told by Microsoft that the hotfix would be released by the end of this month. For customers running with a hybrid of both on premise Exchange and cloud-based Exchange, that hotfix will be released in August.

If anyone else is experiencing this issue, Microsoft released the hotfix: Outlook 2007: http://support.microsoft.com/kb/2598366 Outlook 2010: http://support.microsoft.com/kb/2598374 After applying the hotfix, need to add the following registry entry: Outlook 2007: [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security] "DisableWebAuthenticationType"=dword:00000010 Outlook 2010 [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security] "DisableWebAuthenticationType"=dword:00000010

Thanks for the feedback, it will help everyone else that got the trouble.MCP | MCTS 70-236: Exchange Server 2007, Configuring Want to follow me ? | Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/