Another Account Lockout Issue
Posted by NeverEnoughBackups@reddit | sysadmin | View on Reddit | 6 comments
Going deep into logs on this one.
We have a single account that is locking a users account. We have temporarily bypassed this by forcing a task to unlock the account every 5 minutes. This started roughly a month ago.
We can see in the event viewer that there is no caller computer name on event 4740 (lockout event) so we enabled debugging logs which didn't help. I have since enabled debugging netlogon logs and I can see that 4 attempts are made every 3 minutes but the 'from' field is empty. Below is a snipit of the Netlogon logs.
07/09 13:44:31 [LOGON] [15828] DOMAIN: SamLogon: Network logon of domain\user from Entered
07/09 13:44:31 [LOGON] [15828] DOMAIN: SamLogon: Network logon of domain\user from Returns 0xC0000234
07/09 13:44:31 [LOGON] [15828] DOMAIN: SamLogon: Network logon of domain\user from Entered
07/09 13:44:31 [LOGON] [15828] DOMAIN: SamLogon: Network logon of domain\user from Returns 0xC0000234
We get the two codes "0xC0000234" (account locked out) and "0xC000006A" (Invalid credentials) Notice how the from is empty. As an example below is a successful login attempt when the user logged in this morning. Of course some info is changed to generic words.
07/09 7:56:40 [LOGON] [6560] DOMAIN: SamLogon: Network logon of domain\user from company-computername-24 Returns 0x0
I am not sure what is trying to log in every 3 minutes and after enabling debugging and still coming up empty I am looking for ideas.
We know the device trying to authenticate is not their workstation or their cell phone. This happens whether the user is in the office or not or if the laptop/phone is on or not.
We also removed all microsoft apps off the cell phone just in case it was a syncing issue. We changed the users password since this happened and it didn't have any effect.
Thanks!
NeverEnoughBackups@reddit (OP)
For anyone interested that may find this in the future we were able to resolve this issue using the below steps.
I enabled additional logging from the NPS server which displayed login attempts. I verified this network traffic via packet information with wireshark and found that the RADIUS protocol was being used for the requests at that time with the username that was being locked out. Confirmed this by disabling the Enterprise WIFI which was using the RADIUS protocol and the login attempts stopped. Verified no more login attempts via the netlogon.log file.
Ran IP scan to identify the IP of the MAC in the logs, discovered it was a previously decommissioned laptop re-provisioned by the client for use. The user had a saved wireless profile for the enterprise wifi that was sending a username and blank password. I removed this network, the logins stopped and we had no lockouts overnight.
phychmasher@reddit
Hey There, do you happen to recall what additional logging you enabled on your NPS server? I have a similar issue going right now just like yours.
Top-Examination-6800@reddit
Start by reviewing any cached creds this user might’ve inputted ex. Windows Credential Manager, laptop/Desktop, etc. Do y’all have an RD gateway? Or using LDAP?
NeverEnoughBackups@reddit (OP)
This is a good idea but I'm not sure where to look. We have ruled out both of the workstations for this user. This continues even if the workstations are turned off. We also powered off the printers in the office in case it was some kind of Kerberos authentication but this also didn't help. If its cached creds, its not on one of their workstations.
narcissisadmin@reddit
I've seen this happen with a RADIUS server (the blank "caller" field).
NeverEnoughBackups@reddit (OP)
On the NPS event viewer I can see it making LDAP connections but those are the only logs I see. I found an article describing how to enable success and failure requests to also be logged but it doesn't appear to be working. Anyway to investigate this further? I suspected some kind of wireless device using their enterprise wifi but haven't been able to rule it out.