NtLmSsp Login Errors

KuchJ 21 Reputation points
2020-12-14T20:35:01.937+00:00

I have one user that has over 2000 Event errors below this week and I am totally lost on what it possibly could be. I checked credential manager and that was completely clean. Looked through all the Services and nothing odd in there at all. Also checked his programs and processes and everything looked normal. Whatever it is tried to hit any of our domain controllers but it never locks his account out. Only one user from one laptop. Thought it was super strange and thought I should figure it out.
Thank you in advance for the help!

Event Type
UserLogonFailure

EventInfo
Logon Failure "Had user name here"

DetectionIP
(Domain Controller was here)

ToolAlias
Windows Security

ProviderSID
Microsoft-Windows-Security-Auditing 4625

LogonProcess
NtLmSsp

InsertionTime
2020-12-11 11:27:21

Manager
swi-sem

DetectionTime
2020-12-11 11:27:19

ExtraneousInfo
SourcePort: 63706; Call-ProcessName: -;

DestinationAccount
jsayersmith

DestinationMachine
(Domain Controller was here)

AuthPackage

NTLM

FailureCount
1

DestinationDomain
TCORP

LogonType
Windows: Network

Severity
4

SourceLogonID
0x0

FailureReason
Unknown user name or bad password.

InsertionIP
(Domain Controller was here)

ManagerTime

2020-12-11 11:27:21

SourceMachine
10.215.10.3

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,748 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sunny Qi 10,896 Reputation points Microsoft Vendor
    2020-12-22T02:35:38.547+00:00

    Hi @KuchJ ,

    Greeting! Hope everything is fine with you.

    After discussing with our Active Directory Domain Service engineer, we think tracing and monitoring should be necessary if the account is in Active Directory and still an active user.

    You can capture network traffics by Network Monitor when the issue reproduced on problematic device . Please download the “Network Monitor” as below link in advance and install as Administrator on problematic node and :
    https://www.microsoft.com/en-sg/download/details.aspx?id=4865

    However, Please understand analysis of network traffic is beyond our forum support level. So I would suggest you contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.

    You may find phone number for your region accordingly from the link below:

    Global Customer Service phone numbers

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Sunny Qi 10,896 Reputation points Microsoft Vendor
    2020-12-15T07:58:24.627+00:00

    Hi @KuchJ ,

    Thanks for posting in Q&A platform.

    Based on provided info, as a workaround I would suggest to perform NTLM policy control to completely prevent LM response. Please refer to the detailed steps as below:

    Firstly, please locate to Local Security Policy-->Local Policy-->Security Options-->Network security: LAN Manager authentication level-->set to Send NTLMv2 response only

    48293-image-1.jpg

    And then please locate to Local Security Policy-->Local Policy-->Security Options-->Network security: Restrict NTLM: Incoming NTLM traffic-->set to Deny all accounts

    48277-image-2.jpg

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

  2. KuchJ 21 Reputation points
    2020-12-22T15:36:18.687+00:00

    @Sunny Qi

    I will give that a shot with the Network Monitor tool. Thank you for all your help. Really appreciate it big time. :)


  3. User989846-7900 1 Reputation point
    2022-09-07T09:35:45.87+00:00

    Hello @KuchJ ,
    Did you identified the root cause of this issue? what was it?

    0 comments No comments

  4. Landon Veitch 1 Reputation point
    2022-11-14T18:48:20.317+00:00

    I am also curious to see if anyone found a resolution for this as I have those exact security settings in our domain per NIST requirements and I am seeing the same thing for a local admin account on newly created workstations that are added to our domain.

    0 comments No comments