Monday, 1 December 2014

Find Account Lockout Source for Logon Type 8

Finding root cause of the frequent Bad Password Attempts or other Login Failure is a hard task now a days since many applications are using cached password methods. As a Administrator, you can have more control on top layer of the Network Security. Because in this layer most of the works are done by you but when it comes to end-user side, it always gives the head-ache for us and moreover tracing root cause of an end-user's login failure or account lockout source is more equally to diagnosing disease through body by a doctor. In this article, I am going explain how to Trace and Find Account Lockout Source and Logon Failure Reason of an AD User for Logon Type 8.

How to Find AD User Logon Failure Reason for Logon Type 8

The logon type 8 occurs when the password was sent over the network in the clear text. Basic authentication in IIS is most possible cause for this kind of login failure. As for as I know there are five commonly used Microsoft IIS based services with Basic Authentication by end users via either by their Desktop or Mobile device, such are OWA client, MS Exchange ActiveSync, Outlook Anywhere, FTP client and SharePoint server.

When an end-user connect the Basic authentication enabled OWA client from their desktop-pc/mobile device with wrong passwords, the event 4625 with logon type 8 will be logged in Exchange Server which hosts the OWA.

Consider the following scenario:
DC1   - Active Directory Domain Controller 
ExchSvr    - Exchange Server integrated with AD with OWA and DC1 as Authentication Server
Morgan-PC/Mobile   - End user computer/mobile device
Now, when the user morgan tries to connect the OWA client from his desktop “Morgan-PC” with wrong password,
  • The logon failure event 4625 with logon type 8 will be logged in ExchSvr, and this event will points the Morgan-PC as Source Machine. 
  • Any one of these Authentication failure logon event (4768/4771/4776) will be logged in DC1 depends upon the authentication mechanism configured in AD, and this event will points the machine ExchSvr as Source Machine.
Logon Failure Event 4625 in IIS Server:
Event ID:      4625
Computer:      ExchSVR.TestDomain.Com
Description: An account failed to log on.

Logon Type:   8

Account For Which Logon Failed:
  Account Name:  Morgan
  Account Domain:  TestDomain

Failure Information:
  Failure Reason:  Unknown user name or bad password.
  Status:   0xc000006d
  Sub Status:  0xc000006a

Process Information:
  Caller Process ID: 0xce4
  Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
  Workstation Name: ExchSVR
  Source Network Address: (Morgan-PC)
  Source Port:  40977
Logon Failure Event 4771 in Domain Controller:
Event ID:      4771
Task Category: Kerberos Authentication Service
Computer:      DC1.TestDomain.local
Kerberos pre-authentication failed.

Account Information:
 Security ID:  TESTDOMAIN\Morgan
 Account Name:  Morgan

Service Information:
 Service Name:  krbtgt/testdomain

Network Information:
 Client Address: (ExchSVR)
 Client Port:  0

Additional Information:
 Ticket Options:  0x40810010
 Failure Code:  0x18
 Pre-Authentication Type: 2
To track the starting point of this logon failure, we need to read events from two machines DC1 and ExchSVR.
  • By DC1 event, we can conclude the failure is triggered from ExchSVR
  • And then from ExchSVR event , we can conclude the actual failure was triggered from Morgan-PC (Source Network Address).



  1. This Event is usually caused by a stale hidden credential. Try this from the system giving the error:

    From a command prompt run: psexec -i -s -d cmd.exe
    From the new DOS window run: rundll32 keymgr.dll,KRShowKeyMgr
    Remove any items that appear in the list of Stored User Names and Passwords. Restart the computer.