Hi everyone
BACKGROUND
This has perplexed me for a few days now. A user is having 2-3 lockouts a day and they are not putting in their password wrong at all.
Our GPO for password policy is 5 bad attempts before lockout with 30 mins to reset this counter.
INVESTIGATION
I search on the primary DC for event 4740 (Lockout) in Security log and get the time of the lockout and to confirm it comes from their machine.
This event is surrounded by event IDs 4771. I get 5 before hand, then the account lockout, then usually 10-15 more in quick succession.
4771 is Kerberos pre-authentication failed. - again, confirming the source of the lockout being their machine:
Kerberos pre-authentication failed.
Account Information:
*Security ID: DOMAIN\User.Name*
*Account Name: User.Name*
Service Information:
*Service Name: krbtgt/DOMAIN*
Network Information:
*Client Address: ::ffff:<IP>*
*Client Port: 54950*
Additional Information:
*Ticket Options: 0x40810010*
*Failure Code: 0x18*
*Pre-Authentication Type: 2*
Certificate Information:
*Certificate Issuer Name:*
*Certificate Serial Number:*
*Certificate Thumbprint:*
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
The Failure code suggests bad password - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 looking at the table. I get 5 of these events in the same second, then the 4740 lockout - followed by another 10 or so of these, with failure code 0x12 suggesting account locked out.
I then log onto the local machine and have a look - there are no auditing events in Sec log at the time of this event. The AD events were at 0910, and the only local sec logs were at 0908 and 0913. No audit failures.
However, when I check the system log - I get this event:
Event ID 14
The password stored in Credential Manager is invalid. This might be caused by the logged on user changing the password from this computer or a different computer. To resolve this error, open Credential Manager in Control Panel, and reenter the password for the credential DOMAIN\User.Name.
So I think I'm onto a winner - I check credential manager....nothing.
I run the command in admin cmd rundll32 keymgr.dll KRShowKeyMgr This shows a few TRMSRV connections for RDP - so I delete these. Though nothing referencing the exact account stated in Event 14.
Event 14 is followed quickly by this:
Event 40960 LSA (LsaSrv)
The Security System detected an authentication error for the server cifs/filesharename. The failure code from authentication protocol Kerberos was "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
(0xc0000234)".
This makes me think mapped drive...nothing. Even clear all SVN links
So I check startup processes, nothing stated and no other services in services.msc listed with their account. There are no scheduled tasks running at these times, and none listed that auth with their account.
There is nothing in the application log around this time to suggest an installed app has their credentials and is using them.
I check the XML details of the events and can get the PID - this points me to lsass.exe....which is not helpful.
I've been recording the times of these lockouts for the user, there is 0 structure or pattern, happen at random times after the user logs in, happen at irregular intervals
CURRENT ACTIONS
So what I've done:
- Checked Credential Manager - nothing stored
- Cleared all credentials from KeyMgr via CMD
- Checked start up apps - nothing using account
- Checked services - nothing using their account
- Checked scheduled tasks - nothing running around this time or using their account
- Checked mapped drives, nothing.
- Checked email server - no events at this time
I've found so many articles on this, but nothing has worked:
https://answers.microsoft.com/en-us/windows/forum/all/security-kerberos-event-id-14-credential-manager/3169d1ad-06f6-4f39-9946-bdf01e255393
https://serverfault.com/questions/529448/track-down-which-process-program-is-causing-kerberos-pre-authentication-error-c#:~:text=The%20failure%20code%200x18%20means%20that%20the%20account,occurring%20because%20of%20a%20bad%20cached%20password%20somewhere.%29
https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html?utm_source=SpiceWorks&utm_campaign=How-To-Account-Lockout-Source
https://community.spiceworks.com/t/huge-numbers-of-4771-generates-with-0x18-but-no-account-lockout-found/724370/3
I'm not super keen on installing third party lockout detectors onto a DC, it's likely only going to show me the information I've already gathered from the EV logs - caller machine, caller user, PID of log, times etc etc
I've installed all the latest KBs on the machine, checked firmware and updated any apps on the device - their still being locked out.
If anyone has any pointers for where I can take this, that would be amazing - as I'm running out of options for what it can be, so hoping I'm eventually going to stumble into what it is!