How to Find AD User Logon Failure Reason for Logon Type 8
The logon type 8 occurs when the password was sent over the network in the clear text. Basic authentication in IIS is most possible cause for this kind of login failure. As for as I know there are five commonly used Microsoft IIS based services with Basic Authentication by end users via either by their Desktop or Mobile device, such are OWA client, MS Exchange ActiveSync, Outlook Anywhere, FTP client and SharePoint server.
When an end-user connect the Basic authentication enabled OWA client from their desktop-pc/mobile device with wrong passwords, the event 4625 with logon type 8 will be logged in Exchange Server which hosts the OWA.
Consider the following scenario:
DC1 - Active Directory Domain Controller ExchSvr - Exchange Server integrated with AD with OWA and DC1 as Authentication Server Morgan-PC/Mobile - End user computer/mobile device
Now, when the user morgan tries to connect the OWA client from his desktop “Morgan-PC” with wrong password,
- The logon failure event 4625 with logon type 8 will be logged in ExchSvr, and this event will points the Morgan-PC as Source Machine.
- Any one of these Authentication failure logon event (4768/4771/4776) will be logged in DC1 depends upon the authentication mechanism configured in AD, and this event will points the machine ExchSvr as Source Machine.
Logon Failure Event 4625 in IIS Server:
Event ID: 4625 Computer: ExchSVR.TestDomain.Com Description: An account failed to log on. Logon Type: 8 Account For Which Logon Failed: Account Name: Morgan Account Domain: TestDomain Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0xce4 Caller Process Name: C:WindowsSystem32inetsrvw3wp.exe Network Information: Workstation Name: ExchSVR Source Network Address: 212.158.1.110 (Morgan-PC) Source Port: 40977
Logon Failure Event 4771 in Domain Controller:
Event ID: 4771 Task Category: Kerberos Authentication Service Computer: DC1.TestDomain.local Description: Kerberos pre-authentication failed. Account Information: Security ID: TESTDOMAINMorgan Account Name: Morgan Service Information: Service Name: krbtgt/testdomain Network Information: Client Address: 212.158.1.54 (ExchSVR) Client Port: 0 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2
To track the starting point of this logon failure, we need to read events from two machines DC1 and ExchSVR.
- By DC1 event, we can conclude the failure is triggered from ExchSVR,
- And then from ExchSVR event , we can conclude the actual failure was triggered from Morgan-PC (Source Network Address).