I have account which keep locking out every few mintues in AD.
I'm using Windows 7 Enterprise X64 PC
I'm using Windows 2003 STD server
These are the things i have tried.
- Created new profile.
- Removed all printers and mapped drivers.
- Used tool from microsoft ALtool ( I can't seem to find the log file under. c:\windows\debug).
Normally it should say in log files where the account is being lock but it doesn't say anything as you can see below.
These are the log files i have from my DC.
675,AUDIT FAILURE,Security,Thu Oct 20 09:17:26 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: username User ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Service Name: krbtgt/domain Pre-Authentication Type: 0x0 Failure Code: 0x12 Client Address: ip address Certificate Issuer Name: %7 Certificate Serial Number: %8 Certificate Thumbprint: %9
644,AUDIT SUCCESS,Security,Thu Oct 20 08:24:17 2011,NT AUTHORITY\SYSTEM,User Account Locked Out: Target Account Name: username Target Account ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Caller Machine Name: Caller User Name: DC SERVER$ Caller Domain: domain Caller Logon ID: (0x0,0x3E7)
644,AUDIT SUCCESS,Security,Thu Oct 20 08:21:46 2011,NT AUTHORITY\SYSTEM,User Account Locked Out: Target Account Name: username Target Account ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Caller Machine Name: Caller User Name: DC SERVER$ Caller Domain: domain Caller Logon ID: (0x0,0x3E7)
644,AUDIT SUCCESS,Security,Thu Oct 20 08:16:55 2011,NT AUTHORITY\SYSTEM,User Account Locked Out: Target Account Name: username Target Account ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Caller Machine Name: Caller User Name: DC SERVER$ Caller Domain: domain Caller Logon ID: (0x0,0x3E7)
644,AUDIT SUCCESS,Security,Thu Oct 20 08:13:10 2011,NT AUTHORITY\SYSTEM,User Account Locked Out: Target Account Name: username Target Account ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Caller Machine Name: Caller User Name: DC SERVER$ Caller Domain: domain Caller Logon ID: (0x0,0x3E7)
644,AUDIT SUCCESS,Security,Thu Oct 20 08:09:25 2011,NT AUTHORITY\SYSTEM,User Account Locked Out: Target Account Name: username Target Account ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Caller Machine Name: Caller User Name: DC SERVER$ Caller Domain: domain Caller Logon ID: (0x0,0x3E7)
675,AUDIT FAILURE,Security,Thu Oct 20 07:50:08 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: username User ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Service Name: krbtgt/domain Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: ip address Certificate Issuer Name: %7 Certificate Serial Number: %8 Certificate Thumbprint: %9
675,AUDIT FAILURE,Security,Thu Oct 20 07:50:08 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: username User ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Service Name: krbtgt/domain Pre-Authentication Type: 0x2 Failure Code: 0xE Client Address: ip address Certificate Issuer Name: %7 Certificate Serial Number: %8 Certificate Thumbprint: %9
675,AUDIT FAILURE,Security,Thu Oct 20 07:49:59 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: username User ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Service Name: krbtgt/domain Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: ip address Certificate Issuer Name: %7 Certificate Serial Number: %8 Certificate Thumbprint: %9
675,AUDIT FAILURE,Security,Thu Oct 20 07:49:59 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: username User ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Service Name: krbtgt/domain Pre-Authentication Type: 0x2 Failure Code: 0xE Client Address: ip address Certificate Issuer Name: %7 Certificate Serial Number: %8 Certificate Thumbprint: %9
Best Answer
Your Kerberos failure codes explained:
0x18 - The account is locked, is outside the logon hours, or the account is disabled
0xE - KDC has no support for the encryption type
0x12 - KDC Policy rejects request
Based on the 0xE and 0x12, you would want to first verify that the system time on that machine matches the time on your DCs, that the account has no logon hour restrictions, and is not disabled.
Also, what domain/ forest function level are you set to, and do you have any 2008/ 2008 R2 DCs?