A user (we'll call them 'username') keeps getting locked out and I don't know why. Another bad password is logged every 20 minutes on the dot.
The PDC Emulator DC is running Server 2008 R2 Std. Event ID 4740 is logged for the lockout but the Caller Computer Name is blank:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/29/2015 4:18:14 PM
Event ID: 4740
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: FQDNofMyPDCemulatorDC
Description:
A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: MyPDCemulatorDC$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: MYDOMAIN\username
Account Name: username
Additional Information:
Caller Computer Name:
The lockout origin DC is running Server 2003 running IAS (RADIUS). Its security log contains a corresponding event for the account lockout, but of course it is also missing the source (Caller Machine Name):
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 644
Date: 5/29/2015
Time: 4:18:14 PM
User: NT AUTHORITY\SYSTEM
Computer: MyRadiusDC
Description:
User Account Locked Out:
Target Account Name: username
Target Account ID: MYDOMAIN\username
Caller Machine Name:
Caller User Name: MyRadiusDC$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
NetLogon Debug Logging is enabled on the lockout origin DC, and the log (C:\WINDOWS\debug\Netlogon.log) shows the failed logins due to bad password, but not the source (you can see where it says 'from' followed by two spaces, in between the spaces should be the source of the logon attempt):
05/29 16:18:14 [LOGON] MYDOMAIN: SamLogon: Network logon of MYDOMAIN\username from Entered
05/29 16:18:14 [LOGON] MYDOMAIN: SamLogon: Network logon of MYDOMAIN\username from Returns 0xC000006A
IAS logs (C:\WINDOWS\system32\LogFiles\IN######.log) do not show any RADIUS connections from this user in the past 2 days.
I don't know where the heck to go from here is except to curse Microsoft until I'm out of breath. Does anyone have any ideas that might be more productive? 😀
Best Answer
I have only just finished a call with Microsoft about exactly this, so hopefully the following information will help :)
Authentication attempts can happen at a couple of spots, and notably if you are using PEAP authentication for wireless connections, authentication negotiation also occurs through the EAPHost service.
The EAPHost service I find doesn't have fantastic authentication logging (it's miserable actually - trace file), so if for whatever reason authentication fails in EAPHost, the authentication failure attempt is logged using the somewhat generic authentication eventIDs in the event log and nothing at all in IAS Logs.
What we did discover was that a newly built RADIUS server was logging far more information in the IAS logs than our in production system. I went through an reconfigured logging through the configuration log to include accounting information (tick all the boxes in the wizard!), restarted the service and found all that missing IAS events were now being logged including MAC Addresses and SSIDs into the IAS Log files.
Hope this may help :)