Microsoft KB Archive/264678

= Increased account lockout frequency in a Windows 2000 domain =

Article ID: 264678

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q264678



SYMPTOMS
In a domain that contains Microsoft Windows 2000-based domain controllers and Windows 2000-based servers or clients, users may experience account lockouts with fewer incorrect authentication attempts than the domain's Account Lockout policy may indicate. For example, with the domain Account Lockout policy set to allow five incorrect password attempts, users' accounts may be locked out after only three attempts with invalid credentials.

The Netlogon.log file on the primary domain controller shows only two 0xC000006A events for the user before the user is locked out:

05/26 12:25:47 [LOGON] SamLogon: Network logon of \user1 from MYSERVER1 Entered

05/26 12:25:47 [LOGON] SamLogon: Network logon of \user1 from MYSERVER1 Returns 0xC000006A

05/26 12:26:34 [LOGON] SamLogon: Network logon of \user1 from MYSERVER1 Entered

05/26 12:26:34 [LOGON] SamLogon: Network logon of \user1 from MYSERVER1 Returns 0xC000006A

05/26 12:26:54 [LOGON] SamLogon: Network logon of \user1 from MYSERVER1 Entered

05/26 12:26:55 [LOGON] SamLogon: Network logon of \user1 from MYSERVER1 Returns 0xC0000234



CAUSE
When the client tries to authenticate the user with a resource, Windows 2000 first uses the Kerberos authentication method. If the Kerberos attempt does not succeed, the client then tries the Windows NT challenge/response (NTLM) authentication protocol. Each of these methods presents the user's credentials for authentication purposes. Therefore, if a user specifies an incorrect password, the user's account is &quot;charged&quot; twice for one authentication attempt.

Netlogon logging tracks only NTLM authentication attempts. To track invalid Kerberos logon attempts, you must use Kerberos logging.



RESOLUTION
To resolve this problem, install the latest Windows 2000 service pack. For additional information about how to obtain the latest service pack for Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 4 (SP4).



MORE INFORMATION
For additional information about service packs and hotfixes that are available to resolve account-lockout issues in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

817701 Service packs and hotfixes that are available to resolve account lockout issues

For additional information about Netlogon logging, click the following article number to view the article in the Microsoft Knowledge Base:

189541 Using the checked Netlogon.dll to track account lockouts

For additional information about Kerberos event logging, click the following article number to view the article in the Microsoft Knowledge Base:

262177 How to enable Kerberos event logging

For additional information about a related topic, click the following article number to view the article in the Microsoft Knowledge Base:

109626 Enabling debug logging for the Netlogon Service

Keywords: kbenv kbnetwork kbprb KB264678

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.