Domain Account keeping locking out with correct password every few minutes

Question

I have user whos account is keeping locking out every 30 minutes. Done all the checks, remove any cache passwords, created new profile, delete password from IE.

It locks out even when user is using his account (he is logged in )

After checking 20 servers I found that they is service running which causing his account to lock I think.

675,AUDIT FAILURE,Security,Thu Dec 16 07:54:04 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  userid     User ID:  %{id}     Service Name:  krbtgt/DOMAIN     Pre-Authentication Type: 0x2     Failure Code:  0x12     Client Address:  IP address    

Does anyone know what is this.

krbtgt/DOMAIN     
Key Distribution Center Service Account

Can some please explain this to me why this is happening and how i can fix this.

675,AUDIT FAILURE,Security,Fri Dec 24 09:13:01 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  user_id    User ID:  %{id}     Service Name:  krbtgt/Domain     Pre-Authentication Type: 0x2     Failure Code:  0x12     Client Address:  172.16.5.1    
675,AUDIT FAILURE,Security,Fri Dec 24 08:49:06 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  user_id    User ID:  %{id}     Service Name:  krbtgt/Domain     Pre-Authentication Type: 0x2     Failure Code:  0x12     Client Address:  172.16.5.102    
644,AUDIT SUCCESS,Security,Fri Dec 24 08:49:06 2010,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: user_id    Target Account ID: %{id}     Caller Machine Name: UKNML3266     Caller User Name: LONDON$     Caller Domain: Domain     Caller Logon ID: (0x0,0x3E7)    
675,AUDIT FAILURE,Security,Fri Dec 24 08:49:06 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  user_id    User ID:  %{id}     Service Name:  krbtgt/Domain     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  172.16.5.102    
675,AUDIT FAILURE,Security,Fri Dec 24 08:49:06 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  user_id    User ID:  %{id}     Service Name:  krbtgt/Domain     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  172.16.5.102    
675,AUDIT FAILURE,Security,Fri Dec 24 08:46:28 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  user_id    User ID:  %{id}     Service Name:  krbtgt/Domain     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  172.16.5.8    
675,AUDIT FAILURE,Security,Fri Dec 24 08:46:28 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  user_id    User ID:  %{id}     Service Name:  krbtgt/Domain     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  172.16.5.8    
675,AUDIT FAILURE,Security,Fri Dec 24 08:46:28 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  user_id    User ID:  %{id}     Service Name:  krbtgt/Domain     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  172.16.5.8    
c:\sc0472\LONDON-Security_LOG.txt contains 8 parsed events.

Answer 1

Finally i found my problem. SQL Reporting Service was causing my account lockout. Stop and try, after confirm no more passwords bad attempts i should reconfigure reporting services service account ---Not at Service Properties, it is in Reporting Service own config--.

Answer 2

Try this solution from http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/e1ef04fa-6aea-47fe-9392-45929239bd68

Microsoft Support found the problem for us. Our domain accounts were locking when a Windows 7 computer was started. The Windows 7 computer had a hidden old password from that domain account. There are passwords that can be stored in the SYSTEM context that can't be seen in the normal Credential Manager view.

Download PsExec.exe from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it to C:\Windows\System32.

From a command prompt run: psexec -i -s -d cmd.exe

From the new DOS window run: rundll32 keymgr.dll,KRShowKeyMgr

Remove any items that appear in the list of Stored User Names and Passwords. Restart the computer.

Answer 3

I think this highlights a serious deficiency in Windows. We have a (techincal) user account that we use for our system consisting of a windows service and websites, with the app pools configured to run as this user.

Our company has a security policy that after 5 bad passwords, it locks the account out.

Now finding out what locks out the account is practically impossible in a enterprise. When the account is locked out, the AD server should log from what process and what server caused the lock out.

I've looked into it and it (lock out tools) and it doesnt do this. only possible thing is a tool but you have to run it on the server and wait to see if any process is doing it. But in a enterprise with 1000s of servers thats impossible, you have to guess. Its crazy.

Answer 4

We just had a similar issue, looks like the user reset his password on Friday and over the weekend and on Monday he kept getting locked out.

Turned out to be he forgot to update his password on his mobile phone.

Answer 5

You need to make sure that the clocks on all your servers are correct. Kerberos errors are normally caused by your server clock being out of sync with your domain.

UPDATE

Failure code 0x12 very specifically means "Clients credentials have been revoked", which means that this error has happened once the account has been disabled, expired, or locked out.

It would be useful to try and find the previous error messages if you think that the account was active - i.e. this error message may not be the root cause, you will have different errors preceding this error, which cause the account to get locked.

Ideally, to get a full answer, you will need to reactivate the account and keep an eye on the logs for an error occurring before the 0x12 error messages.

Answer 6

I have seen this problem when the user had set up a scheduled task to run under his account. He forgot to update the password on the task after he changed his account password. The scheduled task was trying to logon with the old password and kept locking out his account.

Answer 7

May be the virus by name CONFLICKER try d.exe tool from symantec on the machine hope your problem will be resolved. Check the security logs in domain controller and scan those machines because of this virus it creates bad passwords and lock the users.

Answer 8

Download Microsoft Account Lockout Tools. Use LockoutStatus to find the last DC that didn't pre-authenticate the user that is having issues. Note date and time. Log into that DC, find that timeframe and check Client Address. Logoff from those servers.