AD user frequent lockout

divya m 1 Reputation point
2021-11-05T18:50:05.083+00:00

We have ADFS setup. There is an AD user reporting frequent account lockout.

Upon checking the domain controller for event ID 4771, noticed below alert. From the below info, the reported source IP (client address) is the IP of the ADFS server. Now ho to drill this down further and can fix the user issue

Kerberos pre-authentication failed.

Account Information:
Security ID: INDIA\xxxxxx
Account Name: xxxxx

Service Information:
Service Name: krbtgt/xxxx

Network Information:
Client Address: ::ffff:10.x.x.x.x
Client Port: 63417

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,641 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
955 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 37,351 Reputation points
    2021-11-08T12:31:04.707+00:00

    Hello,

    it is difficult to guess your environment but I would suggest it is worth the try the ALtools lockoutstatus.exe

    Account Lockout and Management Tools
    https://www.microsoft.com/en-us/download/details.aspx?id=18465

    You might try to figure out on which computer you can see the behavior and then going to the credential manager in the control panel and removing his username and password from the list. Once you find out which PC it is, then pull the system log on that system and look to see if there is an error at the same time.

    Hope this helps with your query!


    --If the reply is helpful, please Upvote and Accept as answer--

    No comments

  2. Pierre Audonnet - MSFT 9,976 Reputation points Microsoft Employee
    2021-11-08T13:56:33.237+00:00

    If the lockout is coming from ADFS, nothing will help you on the AD side. You will have to dig into the ADFS logs.

    First on, I'd like to mention that ADFS has builtin mechanism to prevent accounts from being locked out from ADFS. Please have a look here: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection

    Then, if you are interrested to know more about the actual IP of the client (and eventually the User-Agent-String since ADFS is a web service), you will get that in the ADFS audit logs. You can follow the guidance here to enable audit: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/auditing-enhancements-to-ad-fs-in-windows-server

    No comments