Tuesday, 14 October 2014

How to Find Locked out and Logon Failure Reason

Tracking and finding source and root cause of the frequent Active Directory User Account Lockout is a cumbersome task now a days. Unlike other normal logon types (Logon Type 2 -Interactive Logon and Logon Type 10 -Remote Logon), we can’t easily say/track the failure reason for the Logon Type 3, Logon Type 7 and Logon Type 8. Because most of the time, the failures surrounded with these logon types are triggered or initiated by either saved/cached credentials or through third party tools. In this article, I am going to explain about how to trace and find Account Lockout Source and Logon Failure Reason for AD User.

Summary:


How to Find Account Lockout Reason for Logon Type 3

This logon type occurs due to accessing a computer from elsewhere on the network (i.e Remote Desktop sharing tool), or accessing other resources like Network Share from elsewhere on the network by passing credentials. One of the most common sources of logon events with Logon type 3 is connections to shared folders or printers. But also other over-the-network logons are classed as logon type 3 as well as most logons to IIS except Basic authentication.

Consider following scenario:
      DC1         - Active Directory Domain Controller 
      Morgan-PC    - End user desktop computer
Now, when a user or any other applications tries to access resources like Network Share from Morgan-PC with wrong credentials, we will get the logon failure event 4625 with logon type 3 in DC1, it will points the machine Morgan-PC as Source Machine.

 Event 4625 for Logon Type 3:
Computer:      DC1.TestDomain.Com
Description:  An account failed to log on.

Logon Type:   3

Account For Which Logon Failed:
  Account Name:  Morgan
  Account Domain:  TESTDOMAIN

Failure Information:
  Failure Reason:  Unknown user name or bad password.
  Status:   0xc000006d
  Sub Status:  0xc000006a

Network Information:
  Workstation Name: Morgan-PC
  Source Network Address: 212.158.1.110
  Source Port:  51283

How to Trace AD User Lockout Reason for Logon Type 8

The logon type 8 occurs when the password was sent over the network in the clear text. Basic authentication in IIS is most possible cause for this kind of logon failure. As for as I know there are two commonly used Microsoft IIS based services with Basic Authentication by end users via either by their desktop or mobile device, such are OWA client and SharePoint server.

When an end-user connect the Basic authentication enabled OWA client from their desktop-pc/mobile device with wrong passwords, the event 4625 with logon type 8 will be logged in Exchange Server which hosts the OWA.

Consider the following scenario:
     DC1   - Active Directory Domain Controller 
     ExchSvr    - Exchange Server integrated with AD with OWA and DC1 as Authentication Server
     Morgan-PC/Mobile   - End user computer/mobile device
Now, when the user morgan tries to connect the OWA client from his desktop “Morgan-PC” with wrong password,
  • The logon failure event 4625 with logon type 8 will be logged in ExchSvr, and this event will points the Morgan-PC as Source Machine. 
  • Any one of these Authentication failure logon event (4768/4771/4776) will be logged in DC1 depends upon the authentication mechanism configured in AD, and this event will points the machine ExchSvr as Source Machine.
Computer:      ExchSVR.TestDomain.Com
Description: An account failed to log on.

Logon Type:   8

Account For Which Logon Failed:
  Account Name:  Morgan
  Account Domain:  TestDomain

Failure Information:
  Failure Reason:  Unknown user name or bad password.
  Status:   0xc000006d
  Sub Status:  0xc000006a

Process Information:
  Caller Process ID: 0xce4
  Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
  Workstation Name: ExchSVR
  Source Network Address: 212.158.1.110
  Source Port:  40977
To track the starting point of this logon failure, we need to read events from two machines DC1 and ExchSVR.
  • By DC1 event, we can conclude the failure is triggered from ExchSVR
  • And then from ExchSVR event , we can conclude the actual failure was triggered from Morgan-PC (Source Network Address).

How to Find AD User Lockout Source for Logon Type 7

As for as I know there are two possibilities for logon failure with Logon type 7.

- In most cases, this logon type occurs when a user unlock the password protected workstation screen, Windows treats this logon as logon type 7. If your entered valid password, the event 4624 logged in workstation event log with logon type 7 and if you entered wrong password, the event 4625 will be logged with logon type 7.

- There may be a possibility to get account locked by Cached Active Directory Password.

Logon Type 7 event info for Login failure when unlock the workstation screen:
Description:
An account failed to log on.

Logon Type:   7

Failure Information:
 Failure Reason:  Unknown user name or bad password.

Process Information:
 Caller Process ID: 0x1d3
 Caller Process Name: C:\Windows\System32\winlogon.exe
Logon Type 7 event for other login failure like cached cached credentials:
Description:
An account failed to log on.

Logon Type:   7

Failure Information:
 Failure Reason:  An error occurred during logon.

Process Information:
 Caller Process ID: 0x1f4
 Caller Process Name: C:\Windows\System32\lsass.exe

Thanks,
Morgan
Software Developer

Advertisements
Advertisements

No comments:

Post a Comment