I have one particular user whose account gets locked about every other day, without fail. 90% of the time, this is due to someone's iPhone trying to connect to our wireless with their old password (after a password change). We've eliminated that. The problem with this particular user, is that I cannot find ANY entries in the netlogon log that indicate the problem. I can see the 0xC0000234 events in the log that indicate he tried to connect with a locked account. But I don't see any of the standard 0xC000006A events indicated he passed the wrong password. And I NEVER see those for his user. It's really weird.
If I go through the event log of the DC who locked him out, I see in the security log the event: 4771
Kerberos pre-authentication failed. Account Information: Security ID:\daveb Account Name: daveb Service Information: Service Name: krbtgt/ Network Information: Client Address: ::ffff:10.1.2.7 Client Port: 50365 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x12 Pre-Authentication Type: 0 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
I see that event with both the 0X18 error code indicating a bad password, and then I see it with the 0X12 error code indicating the account is locked. What I don't see is where the credentials originated from.
He swears he is not connecting to the wireless, and I believe him, because that type of a bad password would throw a 0xC000006A error on my DC's netlogon log via my wireless NPS server. I get those all the time.
So, what am I missing? Should I enable additional logging on my netlogon log to catch exactly what's happening? I can find the time and the authentication server of his last bad password attempt via the Account Lockout Tools, but I can't find the source or the method of the bad password. Does anyone have any ideas?
Thanks in advance for your help.