Being a system administrator, everyone of us would have come across the task of unlocking user accounts at some point of time. Here I have collected a number of resources and the procedure of my own of troubleshooting the account lockout issue.
Procedure of troubleshooting account lockout issue
Note that Ingolfur Arnar Stangeland published a blog here to show you how Microsoft PSS would approach this kind of issue.
- Understand the nature of the issue and number of users affected. How many uses affected? How frequently accounts are being locked out? Where is likely to be the source from which failed authentication attemps are coming?
- Review the account lockout policies. So that you understand what effective settings are. Sometimes the account lockouts are false and all we needed to do is to revise the account lockout policies to reduce the likelihood of false lockout.
- Review and enable account audit policies for DCs. With audit policies enabled you can check the event logs of DCs to understand the issue more and mostly likely you will be able to find out where is source of failed authentication attempts.
- Collect data to determine the offending source (PCs, servers being attempted). Checking the generated event logs on DCs particularly PDC will reveal useful info about what the account is, which server the failed authentication is being attempted, from which computer the failed authentication attempts are etc.
- If the failed attempts are Kerberos, check out the “Troubleshooting Account Lockout” for how to enable Kerberos logging and collecting lockout debug info from affected computer locally.
- If the failed attempts are NTLM ones, check out the “NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7” for instructions of how to enable and look into the NTLM authentication logging, you will need to check from both PDC and the affected computer.
- Focus on the offending PC, track down the offending process. There are at least two ways to pinpoint the offending process if generally checking the PC didn’t tell you the answer, one is to enable some audit policy on the PC and check out the generated events, the other is to use either network monitoring tool or Process Monitor from Sysinternals.
Notes
- When using the account lock status tool, you will sometime see the bad password count increased then dropped back to zero without hitting the threshold or account lockout observation window expiring, that is because the bad password count will be reset if a successful authentication was attempted.
- both NTLM and Kerberos failed authentication attempts are counted toward the total number of bad password count.
- Running the network monitoring tool locally on the offending PC can reveal the offending process straigh away. Microsoft Network Monitor 3.4 does it natively.
- Installing Microsoft Network Monitor tool (specifically installing the network capture driver) on a server would momentarily disconnect the network connection, which could be a disruption to the services running on the server.
Useful resources
- Microsoft TechNet Windows Server 2003 article: Troubleshooting Account Lockout
- Microsoft download: Account Lockout and Management Tools
- Microsoft download: Microsoft account lockout best practices white paper. Note that the white paper is based on Windows 2000 and 2003, a bit out dated but the majority still applies.
- Ned’s blog: NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7. Note that the generated event 8003 on member server won’t work on Windows Server 2008, the event 8001 on workstation won’t work on Windows Vista.
- Ned’s blog: Auditing Password and Account Lockout Policy on Windows Server 2008 and R2
- Ingolfur’s blog: Troubleshooting account lockout the PSS way
Related Codes
Kerberos Error Codes
| Error | Error Name | Description |
|---|---|---|
| 0x0 | KDC_ERR_NONE | No error |
| 0x1 | KDC_ERR_NAME_EXP | Client’s entry in KDC database has expired |
| 0x2 | KDC_ERR_SERVICE_EXP | Server’s entry in KDC database has expired |
| 0x3 | KDC_ERR_BAD_PVNO | Requested Kerberos version number not supported |
| 0x4 | KDC_ERR_C_OLD_MAST_KVNO | Client’s key encrypted in old master key |
| 0x5 | KDC_ERR_S_OLD_MAST_KVNO | Server’s key encrypted in old master key |
| 0x6 | KDC_ERR_C_PRINCIPAL_UNKNOWN | Client not found in Kerberos database |
| 0x7 | KDC_ERR_S_PRINCIPAL_UNKNOWN | Server not found in Kerberos database |
| 0x8 | KDC_ERR_PRINCIPAL_NOT_UNIQUE | Multiple principal entries in KDC database |
| 0x9 | KDC_ERR_NULL_KEY | The client or server has a null key (master key) |
| 0xA | KDC_ERR_CANNOT_POSTDATE | Ticket (TGT) not eligible for postdating |
| 0xB | KDC_ERR_NEVER_VALID | Requested start time is later than end time |
| 0xC | KDC_ERR_POLICY | Requested start time is later than end time |
| 0xD | KDC_ERR_BADOPTION | KDC cannot accommodate requested option |
| 0xE | KDC_ERR_ETYPE_NOTSUPP | KDC has no support for encryption type |
| 0xF | KDC_ERR_SUMTYPE_NOSUPP | KDC has no support for checksum type |
| 0x10 | KDC_ERR_PADATA_TYPE_NOSUPP | KDC has no support for PADATA type (pre-authentication data) |
| 0x11 | KDC_ERR_TRTYPE_NO_SUPP | KDC has no support for transited type |
| 0x12 | KDC_ERR_CLIENT_REVOKED | Client’s credentials have been revoked |
| 0x13 | KDC_ERR_SERVICE_REVOKED | Credentials for server have been revoked |
| 0x14 | KDC_ERR_TGT_REVOKED | TGT has been revoked |
| 0x15 | KDC_ERR_CLIENT_NOTYET | Client not yet valid—try again later |
| 0x16 | KDC_ERR_SERVICE_NOTYET | Server not yet valid—try again later |
| 0x17 | KDC_ERR_KEY_EXPIRED | Password has expired—change password to reset |
| 0x18 | KDC_ERR_PREAUTH_FAILED | Pre-authentication information was invalid |
| 0x19 | KDC_ERR_PREAUTH_REQUIRED | Additional preauthentication required |
| 0x1A | KDC_ERR_SERVER_NOMATCH | KDC does not know about the requested server |
| 0x1B | KDC_ERR_SVC_UNAVAILABLE | KDC is unavailable |
| 0x1F | KRB_AP_ERR_BAD_INTEGRITY | Integrity check on decrypted field failed |
| 0x20 | KRB_AP_ERR_TKT_EXPIRED | The ticket has expired |
| 0x21 | KRB_AP_ERR_TKT_NYV | The ticket is not yet valid |
| 0x22 | KRB_AP_ERR_REPEAT | The request is a replay |
| 0x23 | KRB_AP_ERR_NOT_US | The ticket is not for us |
| 0x24 | KRB_AP_ERR_BADMATCH | The ticket and authenticator do not match |
| 0x25 | KRB_AP_ERR_SKEW | The clock skew is too great |
| 0x26 | KRB_AP_ERR_BADADDR | Network address in network layer header doesn’t match address inside ticket |
| 0x27 | KRB_AP_ERR_BADVERSION | Protocol version numbers don’t match (PVNO) |
| 0x28 | KRB_AP_ERR_MSG_TYPE | Message type is unsupported |
| 0x29 | KRB_AP_ERR_MODIFIED | Message stream modified and checksum didn’t match |
| 0x2A | KRB_AP_ERR_BADORDER | Message out of order (possible tampering) |
| 0x2C | KRB_AP_ERR_BADKEYVER | Specified version of key is not available |
| 0x2D | KRB_AP_ERR_NOKEY | Service key not available |
| 0x2E | KRB_AP_ERR_MUT_FAIL | Mutual authentication failed |
| 0x2F | KRB_AP_ERR_BADDIRECTION | Incorrect message direction |
| 0x30 | KRB_AP_ERR_METHOD | Alternative authentication method required |
| 0x31 | KRB_AP_ERR_BADSEQ | Incorrect sequence number in message |
| 0x32 | KRB_AP_ERR_INAPP_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) |
| 0x33 | KRB_AP_PATH_NOT_ACCEPTED | Desired path is unreachable |
| 0x34 | KRB_ERR_RESPONSE_TOO_BIG | Too much data |
| 0x3C | KRB_ERR_GENERIC | Generic error; the description is in the e-data field |
| 0x3D | KRB_ERR_FIELD_TOOLONG | Field is too long for this implementation |
| 0x3E | KDC_ERR_CLIENT_NOT_TRUSTED | The client trust failed or is not implemented |
| 0x3F | KDC_ERR_KDC_NOT_TRUSTED | The KDC server trust failed or could not be verified |
| 0x40 | KDC_ERR_INVALID_SIG | The signature is invalid |
| 0x41 | KDC_ERR_KEY_TOO_WEAK | A higher encryption level is needed |
| 0x42 | KRB_AP_ERR_USER_TO_USER_REQUIRED | User-to-user authorization is required |
| 0x43 | KRB_AP_ERR_NO_TGT | No TGT was presented or available |
| 0x44 | KDC_ERR_WRONG_REALM | Incorrect domain or principal |
Netlogon Return Status Codes
