question

divyam-8323 avatar image
0 Votes"
divyam-8323 asked piaudonn answered

AD user frequent lockout

We have ADFS setup. There is an AD user reporting frequent account lockout.

Upon checking the domain controller for event ID 4771, noticed below alert. From the below info, the reported source IP (client address) is the IP of the ADFS server. Now ho to drill this down further and can fix the user issue

Kerberos pre-authentication failed.

Account Information:
Security ID: INDIA\xxxxxx
Account Name: xxxxx

Service Information:
Service Name: krbtgt/xxxx

Network Information:
Client Address: ::ffff:10.x.x.x.x
Client Port: 63417

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

windows-active-directoryadfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello,

it is difficult to guess your environment but I would suggest it is worth the try the ALtools lockoutstatus.exe

Account Lockout and Management Tools
https://www.microsoft.com/en-us/download/details.aspx?id=18465

You might try to figure out on which computer you can see the behavior and then going to the credential manager in the control panel and removing his username and password from the list. Once you find out which PC it is, then pull the system log on that system and look to see if there is an error at the same time.

Hope this helps with your query!



--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
0 Votes"
piaudonn answered

If the lockout is coming from ADFS, nothing will help you on the AD side. You will have to dig into the ADFS logs.

First on, I'd like to mention that ADFS has builtin mechanism to prevent accounts from being locked out from ADFS. Please have a look here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection

Then, if you are interrested to know more about the actual IP of the client (and eventually the User-Agent-String since ADFS is a web service), you will get that in the ADFS audit logs. You can follow the guidance here to enable audit: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/auditing-enhancements-to-ad-fs-in-windows-server

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.