Description:Tracking reason for the Active Directory account lockout/logon failure is cumbersome task now a days. Unlike other normal logon types (Logon type 2 -Interactive Logon and Logon type 10 -Remote Logon), we can’t easily say/track the failure reason for the logon type 3 and 8. Because most of the time, the failures surrounded with these logon types are triggered or initiated by either saved/cached credentials or through third party tools. In this article, I am going to explain about Logon type 3 and Logon type 8 of the event 4625 and how to track the failure reason for these two logon types.
How to track AD account lockout/logon failure for Logon Type 3This logon type occurs due to accessing a computer from elsewhere on the network (i.e Remote Desktop sharing tool), or accessing other resources like Network Share from elsewhere on the network by passing credentials. One of the most common sources of logon events with Logon type 3 is connections to shared folders or printers. But also other over-the-network logons are classed as logon type 3 as well as most logons to IIS except Basic authentication.
Consider following scenario:
DC1 - Active Directory Domain Controller Morgan-PC - End user desktop computerNow, when a user or any other applications tries to access resources like Network Share from Morgan-PC with wrong credentials, we will get the logon failure event 4625 with logon type 3 in DC1, it will points the machine Morgan-PC as Source Machine.
Event 4625 for Logon Type 3:
Log Name: Security Date: 14-10-2014 03:43:55 Event ID: 4625 Task Category: Logon Keywords: Audit Failure Computer: DC1.TestDomain.Com Description: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Morgan Account Domain: TESTDOMAIN Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Network Information: Workstation Name: Morgan-PC Source Network Address: 184.108.40.206 Source Port: 51283
How to track AD user lockout/logon failure for Logon Type 8The logon type 8 occurs when the password was sent over the network in the clear text. Basic authentication in IIS is most possible cause for this kind of logon failure. As for as I know there are two commonly used Microsoft IIS based services with Basic Authentication by end users via either by their desktop or mobile device, such are OWA client and SharePoint server.
When an end-user connect the Basic authentication enabled OWA client from their desktop-pc/mobile device with wrong passwords, the event 4625 with logon type 8 will be logged in Exchange Server which hosts the OWA.
Consider the following scenario:
DC1 - Active Directory Domain Controller ExchSvr - Exchange Server integrated with AD with OWA and DC1 as Authentication Server Morgan-PC/Mobile - End user computer/mobile deviceNow, when the user morgan tries to connect the OWA client from his desktop “Morgan-PC” with wrong password,
- The logon failure event 4625 with logon type 8 will be logged in ExchSvr, and this event will points the Morgan-PC as Source Machine.
- Any one of these Authentication failure logon event (4768/4771/4776) will be logged in DC1 depends upon the authentication mechanism configured in AD, and this event will points the machine ExchSvr as Source Machine.
Log Name: Security Date: 10/14/2014 4:47:29 PM Event ID: 4625 Task Category: Logon Keywords: Audit Failure Computer: ExchSVR.TestDomain.Com Description: An account failed to log on. Subject: Security ID: IIS APPPOOL\OWA Account Name: OWA Account Domain: IIS APPPOOL Logon ID: 0x215aa92 Logon Type: 8 Account For Which Logon Failed: Security ID: NULL SID Account Name: Morgan Account Domain: TestDomain Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0xce4 Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe Network Information: Workstation Name: ExchSVR Source Network Address: 220.127.116.11 Source Port: 40977 Detailed Authentication Information: Logon Process: Advapi Authentication Package: NegotiateTo track the starting point of this logon failure, we need to read events from two machines DC1 and ExchSVR.
- By DC1 event, we can conclude the failure is triggered from ExchSVR,
- And then from ExchSVR event , we can conclude the actual failure was triggered from Morgan-PC (Source Network Address).