Hello--
One of my admins account is constantly being locked out...we use Splunk for log management and the locked is happening because of something happening on one of our Windows 2008 R2 servers. We have checked all the services on this server to make sure this account is not being used to run a service and/or scheduled task, etc. We have also tried this, but, the user account locking out is not listed: http://social.technet.microsoft.com/Forums/windows/en-US/e1ef04fa-6aea-47fe-9392-45929239bd68/securitykerberos-event-id-14-credential-manager-causes-system-to-login-to-network-with-invalid?forum=w7itprosecurity
and have rebooted the server.
Here is an example of the logs, and not sure where to go from here...any help is appreciated...thx!!
LogName=Security
SourceName=MicrosoftWindowssecurityauditing.
EventCode=4771
EventType=0
Type=Information
ComputerName=xxx.xxx.com
TaskCategory=KerberosAuthenticationService
OpCode=Info
RecordNumber=3951186264
Keywords=AuditFailure
Message=Kerberospre-authenticationfailed.
AccountInformation:
SecurityID: "Domain"/xxx
AccountName: xxx
ServiceInformation:
ServiceName:krbtgt/"Domain"
NetworkInformation:
ClientAddress:::ffff:10.x.x.x
ClientPort:62953
AdditionalInformation:
TicketOptions:0x40810010
FailureCode:0x12
Pre-AuthenticationType:2
CertificateInformation:
CertificateIssuerName:
CertificateSerialNumber:
CertificateThumbprint: