"Phantom" user lockouts - Event ID 4771 on DC and Event 14 on Local Machine

Alex South 10 Reputation points
2024-06-10T10:34:07.52+00:00

Hi everyone

BACKGROUND

This has perplexed me for a few days now. A user is having 2-3 lockouts a day and they are not putting in their password wrong at all.

Our GPO for password policy is 5 bad attempts before lockout with 30 mins to reset this counter.

INVESTIGATION

I search on the primary DC for event 4740 (Lockout) in Security log and get the time of the lockout and to confirm it comes from their machine.

This event is surrounded by event IDs 4771. I get 5 before hand, then the account lockout, then usually 10-15 more in quick succession.

4771 is Kerberos pre-authentication failed. - again, confirming the source of the lockout being their machine:

Kerberos pre-authentication failed.

Account Information:

*Security ID:		DOMAIN\User.Name*

*Account Name:		User.Name*

Service Information:

*Service Name:		krbtgt/DOMAIN*

Network Information:

*Client Address:		::ffff:<IP>*

*Client Port:		54950*

Additional Information:

*Ticket Options:		0x40810010*

*Failure Code:		0x18*

*Pre-Authentication Type:	2*

Certificate Information:

*Certificate Issuer Name:*		

*Certificate Serial Number:* 	

*Certificate Thumbprint:*		

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

The Failure code suggests bad password - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 looking at the table. I get 5 of these events in the same second, then the 4740 lockout - followed by another 10 or so of these, with failure code 0x12 suggesting account locked out.

I then log onto the local machine and have a look - there are no auditing events in Sec log at the time of this event. The AD events were at 0910, and the only local sec logs were at 0908 and 0913. No audit failures.

However, when I check the system log - I get this event:

Event ID 14

The password stored in Credential Manager is invalid. This might be caused by the logged on user changing the password from this computer or a different computer. To resolve this error, open Credential Manager in Control Panel, and reenter the password for the credential DOMAIN\User.Name.

So I think I'm onto a winner - I check credential manager....nothing.

I run the command in admin cmd rundll32 keymgr.dll KRShowKeyMgr This shows a few TRMSRV connections for RDP - so I delete these. Though nothing referencing the exact account stated in Event 14.

Event 14 is followed quickly by this:

Event 40960 LSA (LsaSrv)

The Security System detected an authentication error for the server cifs/filesharename. The failure code from authentication protocol Kerberos was "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.

(0xc0000234)".

This makes me think mapped drive...nothing. Even clear all SVN links

So I check startup processes, nothing stated and no other services in services.msc listed with their account. There are no scheduled tasks running at these times, and none listed that auth with their account.

There is nothing in the application log around this time to suggest an installed app has their credentials and is using them.

I check the XML details of the events and can get the PID - this points me to lsass.exe....which is not helpful.

I've been recording the times of these lockouts for the user, there is 0 structure or pattern, happen at random times after the user logs in, happen at irregular intervals

CURRENT ACTIONS

So what I've done:

  1. Checked Credential Manager - nothing stored
  2. Cleared all credentials from KeyMgr via CMD
  3. Checked start up apps - nothing using account
  4. Checked services - nothing using their account
  5. Checked scheduled tasks - nothing running around this time or using their account
  6. Checked mapped drives, nothing.
  7. Checked email server - no events at this time

I've found so many articles on this, but nothing has worked:

https://answers.microsoft.com/en-us/windows/forum/all/security-kerberos-event-id-14-credential-manager/3169d1ad-06f6-4f39-9946-bdf01e255393

https://serverfault.com/questions/529448/track-down-which-process-program-is-causing-kerberos-pre-authentication-error-c#:~:text=The%20failure%20code%200x18%20means%20that%20the%20account,occurring%20because%20of%20a%20bad%20cached%20password%20somewhere.%29

https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html?utm_source=SpiceWorks&utm_campaign=How-To-Account-Lockout-Source

https://community.spiceworks.com/t/huge-numbers-of-4771-generates-with-0x18-but-no-account-lockout-found/724370/3

I'm not super keen on installing third party lockout detectors onto a DC, it's likely only going to show me the information I've already gathered from the EV logs - caller machine, caller user, PID of log, times etc etc

I've installed all the latest KBs on the machine, checked firmware and updated any apps on the device - their still being locked out.

If anyone has any pointers for where I can take this, that would be amazing - as I'm running out of options for what it can be, so hoping I'm eventually going to stumble into what it is!

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,655 questions
{count} vote

2 answers

Sort by: Most helpful
  1. Dillon Silzer 57,441 Reputation points
    2024-07-13T20:13:33.78+00:00

    Hi Alex,

    Just a thought:

    Is the machine trying to use AD credentials to login to an WiFi services using NPS/Radius? I had a user where their phone was the culprit and they had an old password tied into their phone that was causing their lockouts.

    You may want to delete your Wifi profiles and see if the issue persists.


    If this is helpful please accept as answer or upvote.

    Best regards,

    Dillon Silzer, Director | Cloudaen.com | Cloudaen Computing Solutions


  2. Vít Chupík 5 Reputation points
    2024-07-19T07:25:46.2066667+00:00

    Hello,

    I was experiencing the same issue one user and troublshooted for about two weeks.

    I tried:

    changing the password

    removing credentials from credential manager (credential manager, cmdkey /list, rundll32 keymgr.dll KRShowKeyMgr)

    check if scheduled tasks are using user credentials

    check if network drives are connected

    reset kerberos tickets (klist purge)

    recreate user profile on the pc (delete user profile in advanced system settings)

    reconnect pc to domain

    reset cached logons count (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon)

    Uninstall office (I suspected outlook is the culprit)

    Finally I reinstalled windows on that machine and only that solved the issue for me.

    So the problem is propably not on domain controller, in the user account or on the network but in corrupted installation of windows.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.