4771 0x18 Account Lockout Expand / Collapse
Author
Message
Posted 2/25/2013 9:17:58 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/6/2013 8:54:11 AM
Posts: 4, Visits: 8
Getting multiple 4771 events from the same user but the users account is not getting locked out, is there a reason why the account is not getting locked out?

Feb 21 09:35:19 172.28.32.6 MSWinEventLog 1 Security 123854213 Thu: Feb 21 09:35:18 2013 4771 Microsoft-Windows-Security-Auditing jsmith N/A Failure Audit xxx.xxxx.com Kerberos Authentication Service Kerberos pre-authentication failed. Account Information: Security ID: S-1-5-21-958271350-321678849-39353 Account Name: jsmith Service Information: Service Name: krbtgt/xxx.com Network Information: Client Address: ::ffff:10.10.10.10 Client Port: 56756 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. 123839364
Occurrence Count: 132
Post #1175
Posted 2/25/2013 2:15:06 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/6/2013 8:54:11 AM
Posts: 4, Visits: 8
I do know that our GPO policy is set, accounts should lock out at 5 attempts.
Post #1177
Posted 3/6/2013 9:05:39 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/6/2013 8:54:11 AM
Posts: 4, Visits: 8
Thank you very much, this information was very helpful
Post #1183
Posted 1/4/2018 11:23:53 PM
Expert from Quest Software

Expert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest Software

Group: Forum Members
Last Login: 2/11/2012 12:15:37 AM
Posts: 18, Visits: 8
I was just researching the same thing and noticed that a reply here appears to have been deleted.

If anyone else is seeing this issue - lots of 4771 events and NO LOCKOUTS, there's a reason. It's called "Password History Check (N-2)". It's a feature that came in Server 2003 that makes Domain Controllers check the bad password against (up to) the previous 2 passwords in Password History. If they match, then BadPwdCount is not incremented +1. If BadPwdCount doesn't go up, then your account won't lockout. MS did this to "reduce the number of lockouts that occur due to user error", but in reality it keeps things like mapped drives or services from locking out an account until the bad password is more than 2 generations old.

hope this helps!
Post #7435
Posted 1/17/2018 7:14:35 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/17/2018 7:13:57 PM
Posts: 1, Visits: 1
Look at this web archive. It seems to have to original comment included
https://web.archive.org/web/20130903162140/http://forum.ultimatewindowssecurity.com/Topic1175-279-1.aspx
Post #7439
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 2:05am