Accounts Locking on Windows 7
Hello,
We are starting to roll out Win7. We implemented 5 machines so far and 2 of them have a problem where the user's domain account is constantly getting locked (usually several times each day but at random intervals). The other 3 machines are Ok,
but we see errors in the domain controller event log for those also. The event log entry is at the end of the post (I've redacted some items). Note that we've tried the following: Removing/re-adding to the domain, running Sysprep to generate a
new SID, Disabling Java updater, removing all network drive and network printer mappings, turning off Kerberos pre-authenticaion for the user account. Any suggestions would be appreciated.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 5/15/2012
Time: 3:05:16 PM
User: NT AUTHORITY\SYSTEM
Computer: (Domain Controler's hostname)
Description:
Pre-authentication failed:
User Name: Redacted
User ID: Domain\Redacted
Service Name: krbtgt/PROGENICS.COM
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 172.16.18.133
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
May 15th, 2012 4:57pm
Hi,
Are you in the
Windows Server 2003 domain?
If so, Windows Vista and later Windows Operating System supports the use of AES 128 and AES 256 encryption with the Kerberos authentication protocol. However, AES encryption
is not supported in Windows Server 2003.
When Windows 7 client sends Kerberos authentication request to DC, it uses AES to protect the authentication message. However, as Windows Server 2003 DC does not support
AES, it logs a 675 event and replies back with the encryption types that it supports. The Windows 7 client then uses highest supported encryption type that the Domain Controller supports (RC4-HMAC) and successfully be able to supply Pre-Authentication.
To get rid of the 675 error, you can force the Windows 7 computers to use the previous authentication method. To do so, please create the following registry value on Windows
7 computers:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Name: DefaultEncryptionType
Type: REG_DWORD
Value: 23 (dec) or 0x17 (hex)
And then, please reboot the computers.
Regards,
Sabrina
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Sabrina
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2012 11:42pm
Yes we are using a Windows 2003 domain. Ok thanks will try that.
May 17th, 2012 1:56pm
Hello,
Another guy in our department had tried that. He also tried
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Name: LMCompatibilityLevel
Value: 1
Niether of these resolved the problem. Any other suggestions?
Note that the Forest is still in Windows 2000 mode so we're thinking that could be contributing to the issue.
Thanks...
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2012 2:02pm
Hi,
Did you install the following hotfix?
Event ID 677 and event ID 673 audit failure messages are repeatedly logged to the Security log of domain controllers that
are running Windows 2000 and Windows Server 2003
Regards,
Sabrina
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.Sabrina
TechNet Community Support
May 19th, 2012 1:05am
Please check if the steps in the following article help:
Troubleshooting Account Lockout
Also, as this issue is more related with your domain configuration, in order to get the answer effectively, it is recommended to submit
a new question in
Windows Server Forum.
The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or
learn from your interaction with us. Thank you for your understanding.
Regards,
Sabrina
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Sabrina
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2012 10:44pm
That hotfix only surpresses the Event Log entry on the domain controller, it does not appear to have anything to do with the domain accounts locking.
May 24th, 2012 5:06pm
Please check if the steps in the following article help:
Troubleshooting Account Lockout
Also, as this issue is more related with your domain configuration, in order to get the answer effectively, it is recommended to submit
a new question in
Windows Server Forum.
The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or
learn from your interaction with us. Thank you for your understanding.
Regards,
Sabrina
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Sabrina
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2012 10:24pm
Hi Sabrina,
We already tried all of the steps in that article. Also, you mention that this is a domain problem, but this issue only occurs on Windows 7 machines. None of our XP,Server 2003, or Server 2008 member servers have this issue. Please provide
other suggestions.
Thanks.
May 30th, 2012 2:05pm