Sunday, 30 November 2014

Find Account Lockout Source for Logon Type 3

Finding root cause of the frequent Bad Password Attempts of Active Directory User is a cumbersome task now a days. Unlike other normal logon types (Logon Type 2 -Interactive Logon and Logon Type 10 -Remote Logon), we can’t easily track the failure reason for the Logon Type 3, because most of the time, the failures surrounded with this logon type are triggered or initiated by either cached credentials or through third party tools. In this article, I am going to explain about how to Find Account Lockout Source and Login Failure reason for Logon Type 3.

How to Find Logon Failure Reason for Logon Type 3

This logon type occurs due to accessing a computer from elsewhere on the network (i.e Remote Desktop sharing tool), or accessing other resources like Network Share from elsewhere on the network by passing credentials. One of the most common sources of logon events with Logon type 3 is connections to shared folders or printers. But also other over-the-network logons are classed as logon type 3 as well as most logons to IIS except Basic authentication.

Consider following scenario:
DC1         - Active Directory Domain Controller 
Morgan-PC    - End user desktop computer
Now, when a user or any other applications tries to access resources like Network Share from Morgan-PC with wrong credentials, we will get the logon failure event 4625 with logon type 3 in DC1 and it will points the machine Morgan-PC as Source Machine.

 Event 4625 for Logon Type 3:
Computer:      DC1.TestDomain.Com
Description:  An account failed to log on.

Logon Type:   3

Account For Which Logon Failed:
  Account Name:  Morgan
  Account Domain:  TESTDOMAIN

Failure Information:
  Failure Reason:  Unknown user name or bad password.
  Status:   0xc000006d
  Sub Status:  0xc000006a

Network Information:
  Workstation Name: Morgan-PC
  Source Network Address: 212.158.1.110
  Source Port:  51283

Consider another scenario:
DC1         - Active Directory Domain Controller 
Morgan-PC    - End user desktop computer
Now, when a user tries to login into DC1 from Morgan-PC via Remote Desktop sharing tool with bad password, we will get the logon failure event 4625 with logon type 3 in DC1 and it will points the machine Morgan-PC as Source Machine.

Advertisements
Advertisements

No comments:

Post a Comment