Increased account lockout frequency in a Windows 2000 domain (264678)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q264678

SYMPTOMS

In a domain that contains Microsoft Windows 2000-based domain controllers and Windows 2000-based servers or clients, users may experience account lockouts with fewer incorrect authentication attempts than the domain's Account Lockout policy may indicate. For example, with the domain Account Lockout policy set to allow five incorrect password attempts, users' accounts may be locked out after only three attempts with invalid credentials.

The Netlogon.log file on the primary domain controller shows only two 0xC000006A events for the user before the user is locked out:

05/26 12:25:47 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Entered
05/26 12:25:47 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Returns 0xC000006A
05/26 12:26:34 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Entered
05/26 12:26:34 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Returns 0xC000006A
05/26 12:26:54 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Entered
05/26 12:26:55 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Returns 0xC0000234

CAUSE

When the client tries to authenticate the user with a resource, Windows 2000 first uses the Kerberos authentication method. If the Kerberos attempt does not succeed, the client then tries the Windows NT challenge/response (NTLM) authentication protocol. Each of these methods presents the user's credentials for authentication purposes. Therefore, if a user specifies an incorrect password, the user's account is "charged" twice for one authentication attempt.

Netlogon logging tracks only NTLM authentication attempts. To track invalid Kerberos logon attempts, you must use Kerberos logging.

RESOLUTION

To resolve this problem, install the latest Windows 2000 service pack. For additional information about how to obtain the latest service pack for Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 4 (SP4).

MORE INFORMATION

For additional information about service packs and hotfixes that are available to resolve account-lockout issues in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

817701 Service packs and hotfixes that are available to resolve account lockout issues

For additional information about Netlogon logging, click the following article number to view the article in the Microsoft Knowledge Base:

189541 Using the checked Netlogon.dll to track account lockouts

For additional information about Kerberos event logging, click the following article number to view the article in the Microsoft Knowledge Base:

262177 How to enable Kerberos event logging

For additional information about a related topic, click the following article number to view the article in the Microsoft Knowledge Base:

109626 Enabling debug logging for the Netlogon Service

Modification Type:MinorLast Reviewed:3/10/2004
Keywords:kbenv kbnetwork kbprb KB264678
©2004 Microsoft Corporation. All rights reserved.