Hi Folks,
What with almost everyone using a smartphone, tablet, home PC, direct access, RDP, etc., we are generating many more bad logons and account lockouts these days than a few years ago. These are frustrating because they can also be extremely difficult to track down; one of the chief troubleshooting tools, the 'caller computer name' field in event ID 4740 , the 'Source workstation' field in event ID 4776, or the 'Client Address' field in event ID 4771 is often blank, leaving no clue as to which device the bad logons might be emanating from.
The two most common bad logon Event ID's that I see are the 4771 - Kerberos pre-authentication failed, and the 4776 - The computer attempted to validate the credentials for an account. Despite a fair amount of research, I'm unable to determine the practical difference between these two events: ie. under what circumstances one might be generated rather than the other. If I had this information, it might be easier to suspect one particular type of device rather than another.
Can anyone offer a practical overview of the mechanics of authentication with different types of devices? For example, what is the process by which an Android smartphone\iPhone\iPad with an activesync mail account will attempt to authenticate to retrieve mail? Does it use Kerberos or NTLM? What Event ID's are likely to be generated by this type of failure?
How about a Windows workstation? How about home computers using VPN to connect? Any enlightenment?
Please don't offer advice on how to troubleshoot account lockouts. I must have read every thread on this in existence, and tried all of Microsoft's antiquated and inadequate tools. I'm just interested in a description of the basic mechanics of authentication for various types of devices and what scenarios are likely to cause which types of audit failures.
Thanks very much for any help!
ianc
What with almost everyone using a smartphone, tablet, home PC, direct access, RDP, etc., we are generating many more bad logons and account lockouts these days than a few years ago. These are frustrating because they can also be extremely difficult to track down; one of the chief troubleshooting tools, the 'caller computer name' field in event ID 4740 , the 'Source workstation' field in event ID 4776, or the 'Client Address' field in event ID 4771 is often blank, leaving no clue as to which device the bad logons might be emanating from.
The two most common bad logon Event ID's that I see are the 4771 - Kerberos pre-authentication failed, and the 4776 - The computer attempted to validate the credentials for an account. Despite a fair amount of research, I'm unable to determine the practical difference between these two events: ie. under what circumstances one might be generated rather than the other. If I had this information, it might be easier to suspect one particular type of device rather than another.
Can anyone offer a practical overview of the mechanics of authentication with different types of devices? For example, what is the process by which an Android smartphone\iPhone\iPad with an activesync mail account will attempt to authenticate to retrieve mail? Does it use Kerberos or NTLM? What Event ID's are likely to be generated by this type of failure?
How about a Windows workstation? How about home computers using VPN to connect? Any enlightenment?
Please don't offer advice on how to troubleshoot account lockouts. I must have read every thread on this in existence, and tried all of Microsoft's antiquated and inadequate tools. I'm just interested in a description of the basic mechanics of authentication for various types of devices and what scenarios are likely to cause which types of audit failures.
Thanks very much for any help!
ianc