17 September, 2011

Account Lockout - Finding The Culprit (Server)

In this post, we will check how can we determine which server is causing the Account Lockouts


1. One Domain Controller: Win2k3-DC (Primary Domain Controller)
2. Two Member Servers: Win2k3-SP (SharePoint Server) & Win2k3-SQL (SQL Server)
3. One Client Machine: WinXP
4. One User: User1

The User Account "User1" is currently Locked Out

Enable the Netlogon Logging

Enabling debug logging for the Net Logon service

Netlogon Logging was enabled before the user account was locked. Henceforth, we can see that the log files have been generated.

We have enabled Netlogon Logging on all the four machine (Win2k3-DC, Win2k3-SP, Win2k3-SQL, and WinXP)

Now, Download and Install the "Account Lockout Tools"

Account Lockout and Management Tools

Once done, Extract "NLPARSE.EXE" from the tools

NLPARSE.EXE - Tool that can be used to read the Netlogon File. The Netlogon File is a text file. It does not only contains data about account lockout and its status, but is contains data related to the function of Netlogon. To extract data from the Netlogon Logs related to Account Lockout, We can use "NLPARSE.EXE"

Load the Netlogon File collected from the DC into the NLPARSE.EXE Tool

The different codes are listed in the tool. We don't need to select all but only which we need.

0xC000006A - The value provided as the current password is not correct
0xC0000234  - The user account has been automatically locked

The NLPARSE Tool will generate CSV Files. So for every Netlogon File, It will generate a corresponding CSV File and a Log File.

We are just concerned about the CSV File and not the Log File

Let the Search Begins....

We need to know the complete process of User Logon and his Credential Verification by the Authenticating DC/PDC

1. User Logs on to a Client Machine

2. User then access a resource (Like a Mapped Drive or a SharePoint Site)

3. NETWORK LOGON: User`s Credentials are sent to the Server from where the drives are mapped or
to the server hosting the SharePoint Site

4. TRANSITIVE NETWORK LOGON: The Server hosting the mapped drive data or the server hosting the sharepoint site cannot authenticate the user and has to send the user credentials to the authenticating domain controller. the server henceforth send s the credentials to the domain controller which is known as
TRANSITIVE NETWORK LOGON or Pass-Through Authentication

5. If the password is incorrect then the Authenticating domain send the password to the PDC for Re-verification. This is also a TRANSITIVE NETWORK LOGON

Now lets open the Netlogon.CSV File of the Domain Controller (In our lab, we had only one DC, In case of multiple DC`s, Get the Netlogon File of the PDC First)

Here we see that the Sam Logon is "Transitive Network Logon". In the next column, we can see that User1 logged on to the Machine "WinXP" and tried to access the resource of the server "Win2k3-SP" which in our case is a SharePoint Server. Hence, In the "Via" section, the machine that will list will be the machine where the user`s credentials were passed on.

Since the Users credentials were sent to the SharePoint Server, lets get the Netlogon Logs from the SharePoint Server

Here in the logs, there is no "Transitive Network Logon", there is only "Network Logon". That means that this is the problematic machine where the resource is which the user is trying to access and thus causing account to be locked