Finding the reason for account lockout after password change krbtgt

Андрей Михалевский 3,356 Reputation points
2024-11-14T12:28:24.24+00:00

Hello.

We changed the password for the krbtgt account at 21:00 yesterday.

Today at 13:30 we had accounts that were connected to one of the Exchange servers locked out for 15 minutes. 5 servers in DAG.

On the domain controller I can see:

Kerberos pre-authentication failed.

Account Information:

Security ID:		JETINF\myusername

Account Name:		ps.kuryshin

Service Information:

Service Name:		krbtgt/JETINF

Network Information:

Client Address:		::ffff:10.124.10.13

Client Port:		48628

Additional Information:

Ticket Options:		0x40810010

Failure Code:		0x18

Pre-Authentication Type:	2

Certificate Information:

Certificate Issuer Name:		

Certificate Serial Number: 	

Certificate Thumbprint:		

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

10.124.10.13 - MS-EX04

How can I understand the problem, why users who were connected to MS-EX04 got account lockout ? After 15 minutes they were unlocked.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,724 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,865 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 26,401 Reputation points Microsoft Vendor
    2024-11-18T07:51:00.6466667+00:00

    Hello

    Thank you for posting in Q&A forum.

    To troubleshoot the account lockout issue, you can follow these steps:

    1. Enable Auditing: Ensure auditing is enabled at the domain level for security events. Look for event ID 4740 in the security logs, which indicates an account lockout.
    2. Use LockoutStatus Tool: This tool displays information about locked-out accounts, including the user state and lockout time on each domain controller. You can download it from Microsoft's website.
    3. Check Netlogon Logs: The Netlogon service logs can provide insights into authentication issues.
    4. Review Security Logs: Use tools like EventCombMT to gather specific events from multiple servers to a central location for analysis. 

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.