Announcement

Collapse
No announcement yet.

Local Authentication Sent to Domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Local Authentication Sent to Domain

    Hello, I wasnt exactly sure where to post this but figured it might be best in the security forums.
    Ok, so the situation is that I have a user account that keeps getting locked out. This user is on our local network, no outside access for logging in, but the machine has internet access, and the Machine is a windows XP. This is the only machine the user uses.
    Going through the logs I see intervals of authentication attempts for this machine on our domain controller..... what I dont get is that the failure events recorded in the logs shows that the domain specified is the workstation name. Basically I dont understand how the authentication attempt is directed to our Domain controller when the domain specified during the log in is the local machine name.

    Here is an example of the failure event: (information removed for security purposes)
    ================================================== ========
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 1/12/2010
    Time: 11:40:06 AM
    User: NT AUTHORITY\SYSTEM
    Computer: Domain Controller
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: User.Account.in.AD
    Domain: Workstation Name
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: Workstation Name
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: A.B.C.D
    Source Port: 0


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    ================================================== =======

    I saw this article:
    http://support.microsoft.com/kb/811082

    I have applied all the latest updates to the machine, but the lockouts are still showing up in the logs on our Domain controllers just as specified above.

    There are no mapped drives. There are no WMI scripts running/ scheduled to run.

    Anybody have any ideas on what I can do next? Appreciate any insight

    -TIA

  • #2
    Re: Local Authentication Sent to Domain

    Do I understand it correctly Is that a local user account?
    If so see if this helps: http://support.microsoft.com/kb/811082
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Local Authentication Sent to Domain

      Originally posted by L4ndy View Post
      Do I understand it correctly Is that a local user account?
      If so see if this helps: http://support.microsoft.com/kb/811082
      L4ndy,
      Thanks, and yup I had mentioned that article in my original post. I updated the machine that failed authentications are coming from and have updates to the latest service packs / updates as that MS KB article describes but the issue still continues.

      To clarify about the local account.... again this is really strange... the Authentication logs on our Domain controllers shows that a user account is trying to authenticate against the domain, its failing the authentication attempts and the user is being locked out.
      Examining the logs of the failed authentication... its showing that NTLM process is being and the domain specified is the workstations host name. In summary, some process is trying to authenticate with the users credentials to the domain.. but specifying the workstation name as the domain, as shown in the original post example.
      I dont know how the authentication is even being forward to the domain controller, but I guess this problem is known about seeing how there is an MS article related to this issue. I just wish I knew how to fix it .
      I think the next step is to request the hotfix, even though it should be included in the service packs installed on the users machine.
      Any thoughts? Anybody with a similar issue or advice? Im running low on ideas.

      Thanks

      Comment


      • #4
        Re: Local Authentication Sent to Domain

        This is normal retarded behavior. I've never tried the hotfix, at my last place I had to setup a filter to disable alerts when this occured.

        If you have a local and domain account with the same name then the domain account may be locked out because of this.

        Comment


        • #5
          Re: Local Authentication Sent to Domain

          Originally posted by Garen View Post
          This is normal retarded behavior. I've never tried the hotfix, at my last place I had to setup a filter to disable alerts when this occured.

          If you have a local and domain account with the same name then the domain account may be locked out because of this.
          Garren,
          Thanks! This is true in my environment, there is a local account that matches a domain account. Unfortunately the machine in question is not on our domain (one of the many issues I inherited from the previous admins), and only uses the Domain account to log into email, but logs on to the workstation locally.
          I will hopefully be implementing the hotfix tonight (EST), and will update if I notice a change at all.
          If the hotfix dosent resolve the issue, I might try changing the local user account, appreciate the insight.
          Strange how this is occuring as I think ( THINK ) that I have other users who are setup the same, but dont have the same lockout issues

          Comment


          • #6
            Re: Local Authentication Sent to Domain

            Sorry Jlewko, missed your link before.
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment


            • #7
              Re: Local Authentication Sent to Domain

              just an update - I tried the patch last night (requested the hot fix from the link earlier in the article) but the patch / hotfix gave me an error saying that the patch was applicable to the machine since it already had Service Pack 2 on it.
              So if the next step would be to rename the local user account, which was pointed out by Garren. Once done Ill udpate, in case anybody is running into the same issue.

              Comment


              • #8
                Re: Local Authentication Sent to Domain

                Hello Jlewko.

                I'm having the same issue, did you find any solution for your problem?

                Comment


                • #9
                  Re: Local Authentication Sent to Domain

                  Originally posted by mihai247 View Post
                  Hello Jlewko.

                  I'm having the same issue, did you find any solution for your problem?
                  mihai247,
                  I just recently changed the user account the user was using to log in locally. Now this user account no longer matches the domain username. So far so good. But its still kind of early. Ill monitor the issue a while longer, and update down the road.

                  Comment


                  • #10
                    Re: Local Authentication Sent to Domain

                    Hello Jlewko.

                    I have some news, that could help you too.

                    I added the workstation to the domain and after a reboot I just leave the domain and transform back into a home workstation. After this he is working like it should work at the beginning (I am able to log in into domain using local username and password).

                    Isn't it strange?

                    After adding the workstation into domain & leaving the domain I just format & reinstall the workstation using the same steps as described before and everything works without joining again the domain. So I could have an idea, It is possible that the domain apply a kind of blocking for this workstation's MAC and after joining the domain to remove the blocking, or something like that?

                    Comment


                    • #11
                      Re: Local Authentication Sent to Domain

                      Originally posted by mihai247 View Post
                      Hello Jlewko.

                      I have some news, that could help you too.

                      I added the workstation to the domain and after a reboot I just leave the domain and transform back into a home workstation. After this he is working like it should work at the beginning (I am able to log in into domain using local username and password).

                      Isn't it strange?

                      After adding the workstation into domain & leaving the domain I just format & reinstall the workstation using the same steps as described before and everything works without joining again the domain. So I could have an idea, It is possible that the domain apply a kind of blocking for this workstation's MAC and after joining the domain to remove the blocking, or something like that?
                      That is strange. Im not sure that the MAC address would be a factor, because I think that this issue would come up anytime you swap out NICs or add NICs to other machines. I think the issue is more to do with the authentication process.
                      In my case, I have changed the local user name to be different then the domain logon, and so far no issues with the account getting locked out, as like before when both the local username and domain username where the same.

                      Comment


                      • #12
                        Re: Local Authentication Sent to Domain

                        Just an update. Once the local PC user name was changed so it didnt match the domain user name, the issue is no longer present. So if you are in the same situation, try changing one of the user names (local PC, or domain), and hopefully this will fix your problem as it did mine.

                        Comment

                        Working...
                        X