Windows 7 - AD Account keeps locking
Hello,
We are starting to roll out Win7. We implemented 5 machines so far and 2 of them have a problem where the user's domain account is constantly getting locked (usually several times each day but at random intervals). The other 3 machines are Ok,
but we see errors in the domain controller event log for those also. The event log entry is at the end of the post (I've redacted some items). Note that we've tried the following: Removing/re-adding to the domain, running Sysprep to generate a
new SID, Disabling Java updater, removing all network drive and network printer mappings, turning off Kerberos pre-authenticaion for the user account in AD, and registry changes to including changing the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters and
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
Any suggestions would be appreciated.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 5/15/2012
Time: 3:05:16 PM
User: NT AUTHORITY\SYSTEM
Computer: (Domain Controler's hostname)
Description:
Pre-authentication failed:
User Name: Redacted
User ID: Domain\Redacted
Service Name: krbtgt/OURDOMAIN.COM
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 172.16.18.133
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
May 29th, 2012 2:34pm
Hello , Thanks for posting!
Usually account lockouts are caused by service accounts/mapped drives/scheduled tasks\disconnected sessions etc. Failure code 0x18 usually means bad password so talked to the users and ensure they dont use wrong password or Bad Password Threshold is not
set too low.
Look at this article to t/s further-
Troubleshooting Account Lockout
http://technet.microsoft.com/en-us/library/cc773155%28v=ws.10%29.aspx
Sachin Gadhave
MCP, MCSA, MCTS
Free Windows Admin Tool Kit Click here and download it now
May 29th, 2012 3:01pm
Thanks for the reply. We have already looked at all of the scenarios in the "Common Causes for Account Lockouts" section, as I mentioned, we already looked at scheduled tasks, printer mappings, network drive mappings. The bad password threshold
is set to 5, not that it is relevant in this case since it happens to EVERY account logged into the Windows 7 machine. This must be some sort of Active Directory bug or something. Any other suggestions?
May 29th, 2012 4:22pm
Thanks for the reply. We have already looked at all of the scenarios in the "Common Causes for Account Lockouts" section, as I mentioned, we already looked at scheduled tasks, printer mappings, network drive mappings. The bad password threshold
is set to 5, not that it is relevant in this case since it happens to EVERY account logged into the Windows 7 machine. This must be some sort of Active Directory bug or something. Any other suggestions?
Free Windows Admin Tool Kit Click here and download it now
May 29th, 2012 4:33pm
Have you checked for Conficker virus, just in case-
http://support.microsoft.com/kb/962007
See also http://support.microsoft.com/kb/109626 h
Are these clean install Windows 7 machines? Have you installed any software which ties user credentials. Also disable group policies on these systems to check.Sachin Gadhave
MCP, MCSA, MCTS
May 30th, 2012 1:25am
Have you checked for Conficker virus, just in case-
http://support.microsoft.com/kb/962007
See also http://support.microsoft.com/kb/109626 h
Are these clean install Windows 7 machines? Have you installed any software which ties user credentials. Also disable group policies on these systems to check.Sachin Gadhave
MCP, MCSA, MCTS
Free Windows Admin Tool Kit Click here and download it now
May 30th, 2012 1:36am
Hi,
Event ID 675 with failure code 0x18 shows Redacted account using incorrect password, the client address 172.16.18.133 identifies the network client that caused this failure. Please perform following steps to troubleshooting:
1.Check "logon Details" for all service, find the mwadmin account and update the password.
2.Check Schedule Tasks which run with mwadmin account
3.Restart Windows to Safe Mode or Clean Boot to check if any third party application is configured to use mwadmin account
4.Using Account Lockout and Management Tools
to troubleshoot account lockouts and to change a user's password
One more question, have you defined Kerberos Authentication related policy or have your modified Kerberos Authentication related registry before you get these errors?
Please enable Kerberos event logging on issue computer:
Start Registry Editor.Add the following registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Registry Value: LogLevel
Value Type: REG_DWORD
Value Data: 0x1
If the Parameters subkey does not exist, create it.
You can find any Kerberos-related events in the system log.
Note Remove this registry value when it is no longer needed so that performance is not degraded on the computer. Also, you can remove this registry value to disable Kerberos event logging on a specific computer.
For more information please refer to following MS articles:
Kerberos Authentication Tools and Settings
http://technet.microsoft.com/en-us/library/cc738673(v=WS.10).aspx
How to enable Kerberos event logging
http://support.microsoft.com/kb/262177
Maintaining and Monitoring Account Lockout
http://technet.microsoft.com/en-us/library/cc776964(v=WS.10).aspx
Maintaining and Monitoring Account Lockout
Hope this helps!<o:p></o:p>
TechNet Subscriber Support<o:p></o:p>
If you areTechNet
Subscription user and have any feedback on our support quality, please send your feedback
here.<o:p></o:p>
Lawrence
TechNet Community Support
May 30th, 2012 1:50am
Hi,
I would like to confirm what is the current situation? Have you resolved the problem?
If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.Lawrence
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2012 4:40am
Hi,
I would like to confirm what is the current situation? Have you resolved the problem?
If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.Lawrence
TechNet Community Support
June 4th, 2012 4:43am
Hi Lawrence,
Believe we have found the cause, but not a solution (though possible workarounds). We use hosted Exchange and the domain in the user ID matches the name of our internal AD domain. Apparently, Outlook is sending the credentials for hosted
Exchange to the domain controller, and since the user ID's are the same as well (ie, domain\jsmith =
jsmith@domain.com) the account gets locked. Apparently, we are not the only one:
http://community.spiceworks.com/topic/151011-hosted-exchange-office-365-causing-domain-lockouts
This is not an issue with XP, only on Win 7, as there have been some changes in the way Windows 7 authenticates against AD.
So, my question is, is Microsoft working on a fix for this issue? On another forum post, someone mentioned that Microsoft was working on a hotfix. Any info would be helpful.
Thanks...
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2012 10:23am
Hi Lawrence,
Believe we have found the cause, but not a solution (though possible workarounds). We use hosted Exchange and the domain in the user ID matches the name of our internal AD domain. Apparently, Outlook is sending the credentials for hosted
Exchange to the domain controller, and since the user ID's are the same as well (ie, domain\jsmith =
jsmith@domain.com) the account gets locked. Apparently, we are not the only one:
http://community.spiceworks.com/topic/151011-hosted-exchange-office-365-causing-domain-lockouts
This is not an issue with XP, only on Win 7, as there have been some changes in the way Windows 7 authenticates against AD.
So, my question is, is Microsoft working on a fix for this issue? On another forum post, someone mentioned that Microsoft was working on a hotfix. Any info would be helpful.
Thanks...
June 6th, 2012 10:26am
Do you use outylook anywhere on those computer to connect to the exchange ?
The cached credential should be sent in NTLM to the server directly in that case without authentificating to your AD.MCP | MCTS 70-236: Exchange Server 2007, Configuring
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2012 1:01pm
Do you use outylook anywhere on those computer to connect to the exchange ?
The cached credential should be sent in NTLM to the server directly in that case without authentificating to your AD.MCP | MCTS 70-236: Exchange Server 2007, Configuring
June 6th, 2012 1:04pm
You hit the nail on the head - they SHOULD be. But apparently not. Yes we use outlook anywhere and have an autodiscover DNS record for the Exchange server in the cloud. Suggestions? Thanks...
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2012 1:21pm
You hit the nail on the head - they SHOULD be. But apparently not. Yes we use outlook anywhere and have an autodiscover DNS record for the Exchange server in the cloud. Suggestions? Thanks...
June 6th, 2012 1:24pm
Well, my first idea would be to confirm to be honest.
To be sure it use NTLM
NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7
On your hoster, does basic authentification is there too? It could be your NTLM setting in Win7 that is to strict, so the client would fallback to basic auth.
Changes in NTLM Authentication
My last step would be to target a test computer, and wireshark all traffic gooing to your AD for auth, and be sure what process does really auth against your DC. (how to
filter for Kerberos traffic)
MCP | MCTS 70-236: Exchange Server 2007, Configuring
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2012 1:38pm
Well, my first idea would be to confirm to be honest.
To be sure it use NTLM
NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7
On your hoster, does basic authentification is there too? It could be your NTLM setting in Win7 that is to strict, so the client would fallback to basic auth.
Changes in NTLM Authentication
My last step would be to target a test computer, and wireshark all traffic gooing to your AD for auth, and be sure what process does really auth against your DC. (how to
filter for Kerberos traffic)
MCP | MCTS 70-236: Exchange Server 2007, Configuring
June 6th, 2012 1:41pm
We looked at the Kerberos traffic, it is Outlook indeed casuing the issue. We are using the Windows 7 defaults (not blocking NTLM) except for the fact that we have a GPO set up that disables the use of LM Hash which is a different animal.
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2012 2:01pm
We looked at the Kerberos traffic, it is Outlook indeed casuing the issue. We are using the Windows 7 defaults (not blocking NTLM) except for the fact that we have a GPO set up that disables the use of LM Hash which is a different animal.
June 6th, 2012 2:04pm
I would test without that GPO to be honest. From memory NTLM don't use any Kerberos call. (Or test with a older Outlook) (but it can use LM hash (http://support.microsoft.com/kb/820281 old kb, but
it show that NTLM use LM hash some way)
I did a program in the past that use libNTLM to send NTLM hash to a Exchange 2007/2010 and it's only a 3 phases negotiation on the SSL port, nothing Kerberos there... (link
there to show) Outlook fallback to the basic auth scheme for a odd reason.
MCP | MCTS 70-236: Exchange Server 2007, Configuring
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2012 3:46pm
Hi,
I would like to confirm what is the current situation? Have you resolved the problem?
If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.
Lawrence
TechNet Community Support
June 11th, 2012 3:41am
Hi,
I would like to confirm what is the current situation? Have you resolved the problem?
If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.
Lawrence
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2012 3:45am
Hello,
The problem's not resolved, we tested with no GPO's being applied and still the same issue. Seems like there needs to be a patch to Outlook 2010 for this problem.
June 11th, 2012 10:34am
Hello,
The problem's not resolved, we tested with no GPO's being applied and still the same issue. Seems like there needs to be a patch to Outlook 2010 for this problem.
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2012 10:37am
Hi,
Please check below registry entry in your Windows 7 PC.
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover
"ExcludeScpLookup"=dword:1
"ExcludeSrvLookup"=dword:1
"ExcludeSrvRecord"=dword:1
Make sure these three entry exist, if not exist, create them.
Check whether this change can fix your issue.
If it can fix your issue, deploy the registry change through Group Policy refer to following article:
Deploying Custom Registry Changes through Group Policy
http://blogs.technet.com/b/askds/archive/2007/08/14/deploying-custom-registry-changes-through-group-policy.aspx
For more information please refer to following MS articles:
Autodiscover not working
<//span>http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/d7239327-23d9-4c2a-a36d-adae493aac07
Step by step Manual BPOS --> Office 365
http://community.office365.com/en-us/f/147/p/7474/32719.aspx
Hope this helps!
TechNet Subscriber Support
If you areTechNet
Subscription user and have any feedback on our support quality, please send your feedback
here.Lawrence
TechNet Community Support
June 13th, 2012 3:30am
Hi,
Please check below registry entry in your Windows 7 PC.
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover
"ExcludeScpLookup"=dword:1
"ExcludeSrvLookup"=dword:1
"ExcludeSrvRecord"=dword:1
Make sure these three entry exist, if not exist, create them.
Check whether this change can fix your issue.
If it can fix your issue, deploy the registry change through Group Policy refer to following article:
Deploying Custom Registry Changes through Group Policy
http://blogs.technet.com/b/askds/archive/2007/08/14/deploying-custom-registry-changes-through-group-policy.aspx
For more information please refer to following MS articles:
Autodiscover not working
<//span>http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/d7239327-23d9-4c2a-a36d-adae493aac07
Step by step Manual BPOS --> Office 365
http://community.office365.com/en-us/f/147/p/7474/32719.aspx
Hope this helps!
TechNet Subscriber Support
If you areTechNet
Subscription user and have any feedback on our support quality, please send your feedback
here.Lawrence
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2012 3:30am
Hi,
As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as Answered as the previous steps should be helpful for many similar scenarios.
If the issue still persists and you want to return to this question, please reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you
wish.
In addition, we'd love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems.
Thanks!
Lawrence
TechNet Community Support
June 17th, 2012 10:13pm
Hi,
As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as Answered as the previous steps should be helpful for many similar scenarios.
If the issue still persists and you want to return to this question, please reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you
wish.
In addition, we'd love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems.
Thanks!
Lawrence
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2012 10:17pm
Not resolved - according to the Microsoft support engineers, this is an Outlook issue and Microsoft is supposed to be issuing a hotfix for this problem by the end of the month.
June 18th, 2012 9:55am
Hi,
Although this issue has not resolve, fortunately we have track down the source of the problem.
Lets waiting for hotfix of this issue.
And if you have any progress please update in this thread.Lawrence
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 19th, 2012 4:53am
Hi,
Although this issue has not resolve, fortunately we have track down the source of the problem.
Lets waiting for hotfix of this issue.
And if you have any progress please update in this thread.Lawrence
TechNet Community Support
June 19th, 2012 4:58am
@Lawerence Lv
Can you tell us when the expected release date is of these hotfixes? If we open a support request, will they have something we can utilize before the official hotfix release for this issue?
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2012 9:21am
I was told by Microsoft that the hotfix would be released by the end of this month. For customers running with a hybrid of both on premise Exchange and cloud-based Exchange, that hotfix will be released in August.
June 27th, 2012 9:43am
If anyone else is experiencing this issue, Microsoft released the hotfix:
Outlook 2007:
http://support.microsoft.com/kb/2598366
Outlook 2010:
http://support.microsoft.com/kb/2598374
After applying the hotfix, need to add the following registry entry:
Outlook 2007:
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security]
"DisableWebAuthenticationType"=dword:00000010
Outlook 2010
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security]
"DisableWebAuthenticationType"=dword:00000010
Free Windows Admin Tool Kit Click here and download it now
July 9th, 2012 4:14pm
Thanks for the feedback, it will help everyone else that got the trouble.MCP | MCTS 70-236: Exchange Server 2007, Configuring
Want to follow me ? | Blog:
http://www.jabea.net | http://blogs.technet.com/b/wikininjas/
July 9th, 2012 9:34pm