On Event Viewer, we should look for the following information (filter Security log):
Security log, events 4625 and 4771 (format for filtering is: 4625,4771).
We need to filter for these two events since we don’t know if the user failed to authenticate using NTLM (4625) or Kerberos (4771).
References:
4625(F): An account failed to log on
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
4771(F): Kerberos pre-authentication failed
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771
With a view containing only events 4625 and 4771 we can then search (Find…) the user we are troubleshooting.
We should be looking for and see the following information on each of events.
4625:
You can refer to the article above for a full description on the Status and Sub-Status codes.
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 5/21/2019 10:40:19 AM Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: DC2.contoso.local Description: An account failed to log on. Subject: Security ID: NULL SID Account Name: – Account Domain: – Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: test2016 à This should be showing the account you are troubleshooting. Account Domain: WIN2K16MEMBER Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D à These are the fields you should be looking also. Sub Status : 0xC0000064 à We can have either 0xC0000064 or 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: – Network Information: Workstation Name: WIN2K16MEMBER à This might not show on this event but if it does this is where the bad password is coming from. Source Network Address: 192.168.0.31 à This might not show on this event but if it does this is the IP where the bad password is coming from. Source Port: 49735 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: – Package Name (NTLM only): – Key Length: 0 |
If the above event does not show the Network Information details, you will have to enable the Netlogon debug log to have more tracing and NTLM authentication information.
You can refer to the following article for the full instructions on how to enable and disable Netlogon
debugging:
Enabling debug logging for the Netlogon service
https://support.microsoft.com/en-us/help/109626/enabling-debug-logging-for-the-netlogon-service
Although, enabling and disabling Netlogon debugging is quite easy but should only be enabled for troubleshooting purposes and disabled afterwards:
Enable Netlogon debug:
From an elevated command prompt (as administrator), run the following command:
nltest /dbflag:2080ffff
Disable Netlogon debug:
From an elevated command prompt (as administrator), run the following command:
nltest /dbflag:0x0
The netlogon debug log can then be found under C:\Windows\debug\netlogon.log
On the netlogon debug log we should look for (find…) the user we are troubleshooting and should be able to find information similar to the bellow:
08/15 16:38:22 [LOGON] [608] C ONTOSO: SamLogon: Generic logon of CONTOSO.LOCAL\test2016 from ( WIN2K16MEMBER ) (via JUMPSERVER) Returns 0xC000006A |
This entry tells you where the bad password came from.
4771:
You can refer to the article above for a full description on the Failure Codes.
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 7/26/2019 11:47:11 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC2.contoso.local Description: Kerberos pre-authentication failed. Account Information: Security ID: CONTOSO\Administrator Account Name: Administrator à This should be showing the account you are troubleshooting. Service Information: Service Name: krbtgt/CONTOSO Network Information: Client Address: ::ffff: 192.168.0.4 à This might not show on this event but if it does this is the IP where the bad password is coming from. Client Port: 49908 Additional Information: Ticket Options: 0x40810010 Failure Code : 0x18 à This is the Failure Code we should be looking for: The wrong password was provided. Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: |
This was the easy part!
The hard part is often to troubleshoot from the client side as we don’t have any specific procedure to understand what is sending the bad passwords.
An application? A Scheduled Task? A script?
Can be either and/or all of them and for that reason we often need to revisit the client workstation to continue searching for the culprit(s).
Sometimes it is a middle device that connects the user to Exchange, SQL or any other resource and the same steps needs to be taken on each device in the middle that will bring us back to the originating source.
More information:
You can also check the bellow articles for more information on troubleshooting information and tips regarding account lockouts:
Active Directory: Bad Passwords and Account Lockout
Active Directory: Troubleshooting Frequent Account Lockout
Troubleshooting account lockout the PSS way
https://blogs.technet.microsoft.com/instan/2009/09/01/troubleshooting-account-lockout-the-pss-way/