Sunday, 21 December 2014

Group Policy: Account logon vs Logon events

Both are Logon Audit Polices in Group Policy. In Active Directory based domain system, Logon , Logoff and Logon Failures events are controlled by these two security policy settings.

Audit Logon events (Client Events)

  • The Audit logon events policy records all attempts to log on to the local computer, whether by using a domain account or a local account.
  • On Domain Controller, this policy records attempts to access the DC only.
  • It records both Logon and Logoff events whereas Account Logon logs only Logon events.
  • By using these events we can track user's logon duration by mapping logon and logoff events with user's Logon ID which is unique between user's logon and logoff . (Refer this article: Tracking User Logon Activity using Logon and Logoff Events)
  • Refer this article: Steps to enable Audit Logon events (client events) to configure the Logon and Logoff events.

Audit account logon events (DC Events)

  • Account logon events are generated when a domain user account is authenticated on a domain controller.
  • These events will be logged in Domain Controller's security log.
  • If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM
  • This is a authentication event, so it logs only Logon events, it means, logs the event whenever a user authenticated by Domain Controller.
  • Refer this article: Steps to enable Account Logon events (DC events) to configure Account Logon events.
Read More...

Difference between SHA256CryptoServiceProvider and SHA256Managed

Both are used to generate hash data and both classes generate same hash. The .Net SHA256Managed class is supported in all framework versions while the SHA256CryptoServiceProvider class is only supported from framework 3.5 and above. SHA256CryptoServiceProvider uses the FIPS 140-2 validated (FIPS = Federal Information Processing Standards) Crypto Service Provider (CSP) while SHA256Managed does not. SHA256Managed is a pure managed implementation while SHA256CryptoServiceProvider does presumably the same thing but wraps the CryptoAPI.

Summary:

  • Both classes generate same hash key.
  • SHA256CryptoServiceProvider uses the FIPS 140-2 validated Crypto Service Provider (CSP) while SHA256Managed does not.
  • The .Net SHA256Managed class is supported in all framework versions while the SHA256CryptoServiceProvider class is only supported from framework 3.5 and above.

How to develop a software to support FIPS Compliance

When you develop a software, you need to use SHA256CryptoServiceProvider for hashing, otherwise, you will get the following error when you run the application in FIPS compliant enabled system:
Error: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms
Read More...

Saturday, 20 December 2014

Powershell : Convert SecureString to Plain Text

You can force user to enter password from Powershell script using Read-Host cmdlet, and you can mask the password string by setting a parameter -asSecureString.
$password = Read-Host "Enter Password" -asSecureString
You can use this Secure String password wherever the password is needed as Secure String password, but you can not pass this SecureString value where the password required as Plain Text. This below powershell script converts a System.Security.SecureString object (secure string) to Plain Text (actual password string).
#SecureStringToPlainText.ps1
$password = Read-Host "Enter Password" -asSecureString
# Create a "password pointer"
$PwdPointer = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($password)
# Get the plain text version of the password.
$PlainTextPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto($PwdPointer)
# Free the pointer.
[Runtime.InteropServices.Marshal]::ZeroFreeBSTR($PwdPointer)
"Your have entered this password: " + $PlainTextPassword
Convert SecureString to Plain Text in Powershell
Read More...

How to pass arguments to PowerShell script

In this article, I am going to explain about how to pass arguments into Powershell script and how to get input values dynamically from Powershell script. You can pass parameters in different ways either by unnamed parameters, named parameters and you can even force the user to enter specific parameter value.

Pass arguments by unnamed parameters:

You can just pass any no of values into script with separated by space, within a script you can refer unnamed arguments using the $args array and referring to the position (first, second..) of each argument.
#UnnamedArgs.ps1
#Usage:PS C:\Scripts> .\UnnamedArgs.ps1 arg1 arg2
"Your 1st argument is: " + $Args[0]
"Your 2nd argument is: " + $Args[1]

Pass arguments by named parameters:

In unnamed parameters method, you cannot have more control with inputs and powershel script itself look unclear to understand the process. To overcome this, you can pass arguments by named parameter. To get arguments by name, we need to use param statement.
#NamedArgs.ps1
#Usage:PS C:\Scripts> .\NamedArgs.ps1 -Name "Morgan" -City "Arlington"
param($Name, $City)
  "User name: " + $Name
  "City: " + $City
You can set default value for any argument, this default value will be taken as actual value if user doesn't pass the value for this argument.
#PassArgs.ps1
param($Name, $City="Los Angeles")
  "User name: " + $Name
  "City: " + $City

How to pass arguments to PowerShell script

You can set an argument as Mandatory parameter to force user to enter the specific argument to run script.
#MandatoryArgs.ps1
param( [Parameter(Mandatory=$true)] $Name, $City="Los Angeles" )
 "User name: " + $Name
 "City: " + $City

Ask dynamic arguments within Powershell script:

You can force user to enter input values dynamically from inside part of Powershell script using Read-Host cmdlet with respect to your dynamic need.
#DynamicArgs.ps1
param( $Name)
If ($Name -eq "Morgan") {
    $mobileno = Read-Host "Enter your mobile no"
}
else{
    $email = Read-Host "Enter your email"
}
Ask dynamic arguments within Powershell script

Ask password from user in Powershell script:

You can force user to enter password from inside part of Powershell script using Read-Host cmdlet, and you can mask the password string by setting a parameter -asSecureString in Read-Host cmdlet.
#PasswordArgs.ps1
param( $Name)
"Hi, " + $Name
$password = Read-Host "Enter Password" -asSecureString
$PwdPointer = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($password)
# Get the plain text version of the password.
$PlainTextPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto($PwdPointer)
# Free the pointer.
[Runtime.InteropServices.Marshal]::ZeroFreeBSTR($PwdPointer)
"Your have entered this password: " + $PlainTextPassword
Ask password from user in Powershell script
Read More...

MMC cannot open the file C:\WINDOWS\system32\gpmc.msc

Today I have got the below error when I try open Group Policy Management Console by running the command the gpmc.msc. I've been using it for long time, it is not working only now.
MMC cannot open the file C:\WINDOWS\system32\gpmc.msc.This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient access rights to the file."
mmc cannot open the file c windows system32 gpmc msc

Fix/Solution for MMC cannot open the file gpmc.msc

After I have analyzed some time, found the reason for the error is the gpmc template file is corrupted under user's appdata location: %APPDATA%\Microsoft\MMC

To fix this issue, we need to correct the corrupted gpmc template file, but this would be hard task, don't worry you can just rename the corrupted template file and it will automatically created when you open Group Policy Management Console by running the command the gpmc.msc.

1. Open the Run command window, type the path %APPDATA%\Microsoft\MMC and click OK.

MMC cannot open the file C:\WINDOWS\system32\gpmc.msc

2. Rename the corrupted gpmc template file into gpmc-backup. Now you can open Group Policy Management Console by running the command the gpmc.msc.
mmc cannot open the file c windows system32 gpmc msc
Read More...

Friday, 19 December 2014

whenChanged vs usnChanged - Active Directory

Description:

In this article, I am going to explain about the Active Directory attributes whenChanged and usnChanged. Both attributes hold the information of AD object's latest change point in different format. Both attributes are very useful to track Active Directory object changes.

Summary:

  • WhenChanged is a date time attribute which holds an AD object's latest changed time and it is Non-Replicable attribute. 
  • uSNChanged is a integer attribute and it will be updated when the object is changed.
  • Both are Non-Replicable attributes but that doesn't mean every domain controller holds very different value like lastLogon attrbute. Yes, both are non-replicable attributes but it will be updated in all DCs for every AD change.

How whenChanged attribute value get updated in all DCs?

Before explain this, I would like to explain what is Active Directory Replication?. In Active Directory, objects are distributed among all domain controllers in a forest, and all domain controllers can be updated directly. Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.

So, AD replication ensures same data in all DCs by transferring every change automatically to other DC,

Consider this scenario:

If you change the value for description attribute of any object as "test", it will be updated in all other DC but here you have not changed either whenChanged or uSNChanged then how it gets updated in your own DC?.
You know whenChanged is system attribute and it will be automatically updated for every change. So the description attribute change indirectly force the whenChanged attribute to set latest time. Like this, the replication change on every DC will automatically force the whenChanged attribute to set the particular DC's latest time. So, the value of  whenChanged attribute may or may not be identical in all DCs depends upon the replication interval.

For more clarity, consider this scenario:

DC1-  AD Domain Controller 1
DC2-  AD Domain Controller 2
U1-     an AD user

Replication Interval: 15 secs

If you change the user U1's description value in DC1 at 10:10:00 AM, the whenChanged attribute gets updated as 10:10:00 AM in DC1. Since the replication interval is 15 secs, the description value will be replicated into DC2 at 10:10:15 AM and it automatically updates the whenChanged attribute as 10:10:15 AM in DC2. So depends upon the replication interval the value of whenChanged attribute may or may not be identical in all domain controllers but it holds the updated value.

How usnChanged attribute value get updated?

When a domain controller modifies an object, it increments the highestCommittedUSN attribute value. When the increment occurs, the domain controller also sets the uSNChanged attribute for that object to the new value. In this process, each change to an object in Active Directory is stamped with a unique and monotonic value. Therefore, a program can obtain the most recent changes to an object on a domain controller by finding the object that has the largest uSNChanged attribute value. Similarly, the second largest uSNChanged attribute value corresponds to the second most recently changed object, and this process is repeated.

For more clarity, consider this scenario:

DC1-  AD Domain Controller and its highestCommittedUSN value = 10000
U1-     an AD user and its uSNChanged value = 3000
U2-     an AD user and its uSNChanged value = 4000


If you change the user U1's description value through DC1. First, DC1 will increment its highestCommittedUSN attribute value into 10001 and update this value into user U1's uSNChanged attribute. So, now U1's uSNChanged value becomes 10001. Now, if you change U2's description value through DC1, now DC1 will increment its highestCommittedUSN attribute value into 10002& and update this value into user U2's uSNChanged attribute. So, now U1's uSNChanged value will be changed from 4000 to 10002. In this way, the Domain Controller always keeps the latest change object record. This mechanism will be very useful to track Active Director changes using Polling method.

Refer this article: http://msdn.microsoft.com/en-us/library/ms677627(v=vs.85).aspx to track AD changes using uSNChanged attribute
Read More...

Wednesday, 17 December 2014

How to enable FIPS Compliant algorithms in Windows

What is FIPS Compliance

The FIPS (Federal Information Processing Standard) compliance is the United States Government standard that provide a benchmark for implementing cryptographic software. For the Schannel Security Service Provider (SSP), this security setting disables the weaker SSL protocols and supports only the TLS protocols. If this setting is enabled, the TLS/SSL Security Provider uses only the FIPS 140 approved cryptographic algorithms: 3DES and AES for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.

Summary:

Enable FIPS Compliant algorithms via Registry

You can force the FIPS Compliance into every software by the changing the value 0 to 1 in below registry key
HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled

Enable FIPS Compliant algorithms via Local Security Policy

You can alternatively force FIPS Compliance via Local Security Policy. Follow the below steps to configure FIPS compliant in Local Computer.

1. Open Local Security Policy by running the command secpol.msc.

How to enable FIPS Compliant algorithms in Windows

2. In the Local Security Policy Editor, under the Local Polices node, click Security Options.

3. In the right-hand side, search the setting System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing

Steps to enable FIPS Compliant algorithms

4. Double-click the policy setting System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing, click Enable and click the button Apply to complete FIPS Compliance configuration.

Steps to enable FIPS Compliance algorithms

How to develop a software to support FIPS Compliance

When we develop a software, we need to use FIPS validated cryptographic algorithms for encryption, hashing, and signing. Otherwise, you will get the following error when you run the application in FIPS compliant enabled system:
Error: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms

Fix for RijindaelManaged algorithms:

The RijindaelManaged class is NOT FIPS complaint supported class. Instead you can use the AesCryptoServiceProvider class which is an FIPS equivalent of RijindaelManaged.

Refer this link: http://blogs.msdn.com/b/winsdk/archive/2009/11/04/is-rijndaelmanaged-class-fips-complaint.aspx

Fix for SHA256Managed algorithms:

The SHA256Managed class is NOT FIPS complaint supported class. Instead you can use the SHA256CryptoServiceProvider class which is an FIPS equivalent of SHA256Managed.

Read More...

Tuesday, 16 December 2014

Add start menu shortcut via Group Policy

In this article I am going to explain about how to add shortcut icon in start menu to open file/folder or start application through Group Policy. This is a very common task in any GPO based Active Directory domain environment for either all of your user’s computer or to a certain group of user’s computer depending on your needs. You can do it easily via Group Policy's User Preferences setting Shortcuts (Default Domain Policy\User Configuration\Preferences\Shortcuts).

Steps to add start menu shortcut via Group Policy

1. Open the Group Policy Management console by running the command gpmc.msc.

2.  Expand the tree and right-click on the OU you want this policy to be applied to. Now, I am going to apply users who are under the OU ManagementTeam. so Right-click the OU ManagementTeam, and click Create a GPO in this domain, and Link it here...

Add start menu shortcut via Group Policy

3. Give the new policy name and click OK. Here, I am giving the policy name start-menu-shortcut-policy
  
Add start menu shortcut via Group Policy

4. Now Right-click on the newly created gpo start-menu-shortcut-policyand click edit.

Add start menu shortcut icon via Group Policy

5. In the Group Policy Management Editor window, expand User Configuration and go to the node Shortcuts (User Configuration/Preferences/Windows Settings/Shortcuts).

6. Right-click in the white space empty area, click New and then select Shortcut.

Create start menu shortcut via GPO

7. In the General tab, fill the following details:
      Name: My Shortcut File (this is the name that will show up on the shortcut in the user's start menu)
      Target type: File System Object
      Location: Start Menu
      Target path: D:\OfficeFiles\MyFile.txt

Note:Here, I have given the file path of MyFile.txt, you can give your own file or folder path which you want to create start menu shortcut.
Create start menu shortcut via GPO

8. Click on the Common tab.
Select Remove this item when it is no longer applied and select OK to the prompt about changing the Action field to ‘Replace’.What this will do is remove the shortcut from start menu if we delete this policy, or if the user falls out of the OU structure that has this policy applied to it.

Add start menu shortcut via GPO

9. In the Description field, write the description as easy way to understand what is this policy, click Apply, and OK.
Create start menu shortcut for a file via GPO

10. Now update the GPO by running the command gpupdate /force

Create start menu shortcut for a folder via GPO

11. That's all. Now we have successfully created start menu shortcut icon of the file MyFile.txt for the users who are under OU ManagementTeam. You can see that shortcut under star menu by logging into any of the user's desktop who are under ManagementTeam OU

Add start menu shortcut icon via Group Policy

Now, you can create your own GPO, and create add shortcut icon into start menu via Group Policy as per your wish.......
Read More...

Sunday, 14 December 2014

Powershell Script to Get Disk Space Usage Report

We can easily list the Size and Free Space of all Disks using WMI class Win32_LogicalDisk. The class is a Win32_LogicalDisk which represents a data source that resolves to an actual local storage device on a computer system running Windows. In this article, I am going write Powershell scripts to get Disk Space usage in Local Machine and Remote Computer.

Summary:


Get Disk Space Usage in Local Machine

You can get the Disk Space Usage report from Local Machine by using following Powershell script. Here, I have used the filter DriveType -eq 3 to list only local hard disks and the below query displays size and free space in unit of GB, you can change it if you want as any other unit. (i.e To display in MB, you need to change this format query -f ($_.FreeSpace/1GB) into -f ($_.FreeSpace/1MB)).
Get-WmiObject -Class Win32_LogicalDisk |
Where-Object {$_.DriveType -eq 3} |
Select-Object DeviceID, Description,`
    @{"Label"="DiskSize(GB)";"Expression"={"{0:N}" -f ($_.Size/1GB) -as [float]}}, `
    @{"Label"="FreeSpace(GB)";"Expression"={"{0:N}" -f ($_.FreeSpace/1GB) -as [float]}} |
FT -AutoSize
Powershell Script to Get Disk Space Usage Report

Get Disk Space Usage from Remote Machine using Powershell

You can get disk's free space usage report from Remote Computer by giving name of the remote computer through argument syntax -ComputerName in the existing Powershell script.
Get-WmiObject -Class Win32_LogicalDisk -ComputerName "hp-pc" | 
Where-Object {$_.DriveType -eq 3} |
Select-Object DeviceID, Description,`
    @{"Label"="DiskSize(GB)";"Expression"={"{0:N}" -f ($_.Size/1GB) -as [float]}}, `
    @{"Label"="FreeSpace(GB)";"Expression"={"{0:N}" -f ($_.FreeSpace/1GB) -as [float]}} |
FT -AutoSize

Export Disk Space Usage Report to CSV using Powershell

You can export the Disk Space Usage into CSV using Powershell's Export-CSV cmdlet. The following script exports the remoter computer's disk free space usage report to CSV file.
Get-WmiObject -Class Win32_LogicalDisk -ComputerName "hp-pc" | 
Where-Object {$_.DriveType -eq 3} |
Select-Object DeviceID, Description,`
    @{"Label"="DiskSize(GB)";"Expression"={"{0:N}" -f ($_.Size/1GB) -as [float]}}, `
    @{"Label"="FreeSpace(GB)";"Expression"={"{0:N}" -f ($_.FreeSpace/1GB) -as [float]}} |
 Export-CSV 'C:\DiskSpaceUsage .csv' -noType
CSV Output of Disk Free Space Usage:

Export Disk Space Usage Report to CSV using Powershell
Read More...

Saturday, 13 December 2014

Install and Uninstall Windows Service using Command Prompt

This article is explaining about how to Install/Create and Delete/Remove a Windows Service using Command Prompt. You can use the Service Control Manager's utility command sc to Install and Delete Windows Service.

Note: Run the command prompt with elevated privileges(Run as administrator) to use the command sc.

Install Windows Service using Command Prompt

Use the below command to install a Windows Service.
sc create [service-name] binpath= [servic-file-path]
service-name : Name of new Windows Service.
servic-file-path : File path of Windows Service file
sc create "MorganTechService" binpath= "C:\Program Files\MorganTechSPace\myservice.exe"

Install and Remove Windows Service using Command Prompt

Delete Windows Service using Command Prompt

Use the below command to uninstall a Windows Service.
sc delete "MorganTechService"
Delete Windows Service using Command Prompt

Read More...

How to Schedule Powershell Script to run in Task Scheduler

We can easily execute Powershell commands from powershell command window whenever we want to do some task. But for regular task, it would be great if we run the powershell scripts as Scheduled Task. You can create Scheduled Task to run Powershell script using Windows Task Scheduler. Follow the below steps to create daily schedule to run a Powershell script file.

Steps to Create Schedule Task to Run Powershell script

1. Open the Windows Task Scheduler : Go to > Start > Administrative Tools and select Task Scheduler.

How to Schedule Powershell Script to run in Task Scheduler

4. In the Task Scheduler, select the Create Task... option under the Actions menu.

How to Schedule Powershell Script to run in Task Scheduler

5. Enter a name for the task, and give it a description (the description is optional and not required).
6. Under Security options section, you can specify different user account that the task should be run under and select the option 'Run whether user logged on or not' so that the task will run even if the user is not logged.

Create Schedule Task to run Powershell Script

7. Then, select the Triggers tab, and click New to add a new trigger for the scheduled task. This new task should use the On a schedule option. The start date can be set to a desired time, and the frequency and duration of the task can be set based on your specific needs and click OK. Here, I have configured a daily schedule to run the Powershell script on daily basis.

Create Schedule Task to run Powershell Script

8. Then, go to the Actions tab and click New to set the action for this task to run. Set the Action to Start a program.
9. In the Program/script box enter Powershell
10. In the Add arguments (optional) box enter the complete script file path. For example, if your Powershell Script is named "test-script.ps1" and placed under "C:\Scripts". then you have to enter path like: "C:\Scripts\test-script.ps1.ps1"

Steps to Create Schedule Task to run Powershell Script

11. That's all, we completed the new schedule task configuration and click OK to complete process.

Steps to Create Schedule Task to run Powershell Script

12. Under Task Scheduler Library, You can check daily task run status of your task and you can also run the task whenever you want by right-click on the task and click Run.

Steps to Create Schedule Task to run Powershell Script

Read More...

Thursday, 11 December 2014

What is a Cluster File System?

A clustered file system is a file system where the data is distributed on multiple nodes (machines) that appear to the clients as a single storage system (a cluster). There are several approaches to clustering, most of which do not employ a clustered file system (only direct attached storage for each node). Clustered file systems can provide features like location-independent addressing and redundancy which improve reliability or reduce the complexity of the other parts of the cluster. Parallel file systems are a type of clustered file system that spread data across multiple storage nodes, usually for redundancy or performance.

Distributed vs Clustered File System

Both the File Systems provide a unified view, global namespace, whatever you want to call it. The difference lies in the model used for the underlying block storage. In a cluster file system, all of the nodes connect to the same block storage, with access mediated by locks or other synchronization primitives. In a distributed file system, each server has its own private block storage, which is only unified at a higher level.

Cluster Filesystems have mostly fallen out of fashion, primarily because their storage model requires a relatively expensive external (e.g. FC/iSCSI) disk subsystem plus switches, adapters, etc. The up side is that this allows disk failures to be handled on the external subsystem, and the same-ness of the underlying storage can ease handling of server failures as well.

Distributed Filesystems, on the other hand, can be and usually are built using cheaper SATA/SAS disks through on-board controllers. (Note that they can be built on top of SANs, except in environments such as AWS where such things don't exist.) While such filesystems can easily beat their cluster cousins in terms of throughput per dollar, they often do so at the cost of worse latency and greater complexity to provide data availability across separate pools of storage.

Since the latency issues can be addressed with smarter caching/replication, which - along with the other kinds of complexity - is just a one-time development issue, I believe that distributed filesystems will eventually displace cluster filesystems entirely. Right now, though, there are use cases such as virtual-machine image storage or databases that are probably better served by Cluster Filesystems.
Read More...

Find Logon Failure Reason for Logon Type 7 - Event 4625

Finding root cause of the frequent Bad Password Attempts or other Login Failure is a hard task now a days since many applications are using cached password methods. This article explains how to Trace and Find Account Lockout Source and Logon Failure Reason of an AD User for Logon Type 7.

Root cause of AD User Lockout for Logon Type 7

As for as I know there are two possibilities for logon failure with Logon type 7.

- In most cases, this logon type occurs when a user unlock the password protected workstation screen, Windows treats this logon as logon type 7. If your entered valid password, the event 4624 logged in workstation event log with logon type 7 and if you entered wrong password, the event 4625 will be logged with logon type 7.

- There may be a possibility to get account locked by Cached Active Directory Password.

Logon Type 7 event info for Login failure when unlock the workstation screen:
Description:
An account failed to log on.

Logon Type:   7

Failure Information:
 Failure Reason:  Unknown user name or bad password.

Process Information:
 Caller Process ID: 0x1d3
 Caller Process Name: C:\Windows\System32\winlogon.exe
Logon Type 7 event for other login failure like cached cached credentials:
Description:
An account failed to log on.

Logon Type:   7

Failure Information:
 Failure Reason:  An error occurred during logon.

Process Information:
 Caller Process ID: 0x1f4
 Caller Process Name: C:\Windows\System32\lsass.exe
Read More...

Monday, 1 December 2014

Find Account Lockout Source for Logon Type 8

Finding root cause of the frequent Bad Password Attempts or other Login Failure is a hard task now a days since many applications are using cached password methods. As a Administrator, you can have more control on top layer of the Network Security. Because in this layer most of the works are done by you but when it comes to end-user side, it always gives the head-ache for us and moreover tracing root cause of an end-user's login failure or account lockout source is more equally to diagnosing disease through body by a doctor. In this article, I am going explain how to Trace and Find Account Lockout Source and Logon Failure Reason of an AD User for Logon Type 8.

How to Find AD User Lockout Reason for Logon Type 8

The logon type 8 occurs when the password was sent over the network in the clear text. Basic authentication in IIS is most possible cause for this kind of login failure. As for as I know there are five commonly used Microsoft IIS based services with Basic Authentication by end users via either by their Desktop or Mobile device, such are OWA client, MS Exchange ActiveSync, Outlook Anywhere, FTP client and SharePoint server.

When an end-user connect the Basic authentication enabled OWA client from their desktop-pc/mobile device with wrong passwords, the event 4625 with logon type 8 will be logged in Exchange Server which hosts the OWA.

Consider the following scenario:
DC1   - Active Directory Domain Controller 
ExchSvr    - Exchange Server integrated with AD with OWA and DC1 as Authentication Server
Morgan-PC/Mobile   - End user computer/mobile device
Now, when the user morgan tries to connect the OWA client from his desktop “Morgan-PC” with wrong password,
  • The logon failure event 4625 with logon type 8 will be logged in ExchSvr, and this event will points the Morgan-PC as Source Machine. 
  • Any one of these Authentication failure logon event (4768/4771/4776) will be logged in DC1 depends upon the authentication mechanism configured in AD, and this event will points the machine ExchSvr as Source Machine.
Logon Failure Event 4625 in IIS Server:
Event ID:      4625
Computer:      ExchSVR.TestDomain.Com
Description: An account failed to log on.

Logon Type:   8

Account For Which Logon Failed:
  Account Name:  Morgan
  Account Domain:  TestDomain

Failure Information:
  Failure Reason:  Unknown user name or bad password.
  Status:   0xc000006d
  Sub Status:  0xc000006a

Process Information:
  Caller Process ID: 0xce4
  Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
  Workstation Name: ExchSVR
  Source Network Address: 212.158.1.110 (Morgan-PC)
  Source Port:  40977
Logon Failure Event 4771 in Domain Controller:
Event ID:      4771
Task Category: Kerberos Authentication Service
Computer:      DC1.TestDomain.local
Description:
Kerberos pre-authentication failed.

Account Information:
 Security ID:  TESTDOMAIN\Morgan
 Account Name:  Morgan

Service Information:
 Service Name:  krbtgt/testdomain

Network Information:
 Client Address:  212.158.1.54 (ExchSVR)
 Client Port:  0

Additional Information:
 Ticket Options:  0x40810010
 Failure Code:  0x18
 Pre-Authentication Type: 2
To track the starting point of this logon failure, we need to read events from two machines DC1 and ExchSVR.
  • By DC1 event, we can conclude the failure is triggered from ExchSVR
  • And then from ExchSVR event , we can conclude the actual failure was triggered from Morgan-PC (Source Network Address).
Read More...

Sunday, 30 November 2014

Find Account Lockout Source for Logon Type 3

Finding root cause of the frequent Bad Password Attempts of Active Directory User is a cumbersome task now a days. Unlike other normal logon types (Logon Type 2 -Interactive Logon and Logon Type 10 -Remote Logon), we can’t easily track the failure reason for the Logon Type 3, because most of the time, the failures surrounded with this logon type are triggered or initiated by either cached credentials or through third party tools. In this article, I am going to explain about how to Find Account Lockout Source and Logon Failure for Logon Type 3.

How to Find Login Failure Reason for Logon Type 3

This logon type occurs due to accessing a computer from elsewhere on the network (i.e Remote Desktop sharing tool), or accessing other resources like Network Share from elsewhere on the network by passing credentials. One of the most common sources of logon events with Logon type 3 is connections to shared folders or printers. But also other over-the-network logons are classed as logon type 3 as well as most logons to IIS except Basic authentication.

Consider following scenario:
DC1         - Active Directory Domain Controller 
Morgan-PC    - End user desktop computer
Now, when a user or any other applications tries to access resources like Network Share from Morgan-PC with wrong credentials, we will get the logon failure event 4625 with logon type 3 in DC1 and it will points the machine Morgan-PC as Source Machine.

 Event 4625 for Logon Type 3:
Computer:      DC1.TestDomain.Com
Description:  An account failed to log on.

Logon Type:   3

Account For Which Logon Failed:
  Account Name:  Morgan
  Account Domain:  TESTDOMAIN

Failure Information:
  Failure Reason:  Unknown user name or bad password.
  Status:   0xc000006d
  Sub Status:  0xc000006a

Network Information:
  Workstation Name: Morgan-PC
  Source Network Address: 212.158.1.110
  Source Port:  51283

Consider another scenario:
DC1         - Active Directory Domain Controller 
Morgan-PC    - End user desktop computer
Now, when a user tries to login into DC1 from Morgan-PC via Remote Desktop sharing tool with bad password, we will get the logon failure event 4625 with logon type 3 in DC1 and it will points the machine Morgan-PC as Source Machine.
Read More...