Unexpected Account Lockouts Caused When Logging On to Outlook from an Untrusted Domain (276541)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 98
  • Microsoft Windows NT Server 4.0
This article was previously published under Q276541

SYMPTOMS

When you log on to Outlook from an untrusted domain or workgroup, the Outlook client may lock out a domain account with the same name as the currently logged-on user. This occurs if the domain password policy is set to three or fewer bad attempts.

If the current name matches a domain user name, but is not the same name that is used to access a Microsoft Exchange server's domain, the account is locked out when the password policy is set to allow twelve bad password attempts.

CAUSE

When you log on to Exchange from an untrusted domain, the Outlook client sends the currently logged-on credentials to the Exchange server. The client continues to send the current credentials even if other domain credentials are entered into the domain logon box that Outlook presents to the user. The client sends the local credentials up to twelve times.

RESOLUTION

Use these steps to resolve this problem:
  1. Configure the client's operating system to log on to the Exchange server's domain or to a trusted domain.
  2. Change the Outlook authentication method to "None". (This is not an available option if you are using the Directory Service client for Windows 9x.)For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

    267879 Directory Service Client Prevents Outlook 2000 from Using 'None' Authentication to Log On

  3. Disable the account lockout policy, or make the bad password policy less restrictive, which can reduce these occurrences. Refer to Help for your operating system for instructions on how to join or log on to a domain.

MORE INFORMATION

When you are logging on to Outlook from an untrusted domain or workgroup, Outlook sends the local credentials up to three times in the course of logging on to the Exchange server. The local credentials are not valid on the Exchange server, and the users receives a domain logon box. In most cases, the user can enter the correct domain credentials, and then access their mailbox. If there is an account in the domain that matches the local credentials, the account may be locked out if the bad password policy is set to three, or fewer bad attempts.

The count of bad password attempts is reset to zero when the user successfully logs on. If the entered credentials are valid, and the password policy is set to higher than three, the user may never experience a problem. However, if the local credentials match a different user in the domain, and the account that is used to access Exchange is not the same name as the local credentials, the other domain account will have its bad password count incremented by three. Because there is no successful logon attempt of the second domain account at that time, the bad password count is not reset to zero. The result could be that the account is locked out at the time during which the domain user logs on.

Example

User "Bob" logs on to his computer that is running either Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows 98 Second Edition. His computer is not configured to log on to the domain. His domain account is named "Robert." He starts Outlook, and then enters his "Robert" credentials. There is a domain account named "Bob" in the domain. At this time, the password count for the domain user "Bob" increments by three. If the password policy is set to three, the domain account is locked out before the domain user "Bob" ever tries to log on.

Sample Scenario

Here is a sample Netlogon.log file that shows the sequence of events that can lead to an account lockout when you enter the correct credentials:

A user starts Outlook, and the current credentials are passed.

10/17 09:35:56 [LOGON] SamLogon: Network logon of 9XWORKGROUP\GREGCAMP from GREGCAMP98 Entered
10/17 09:35:56 [LOGON] SamLogon: Network logon of 9XWORKGROUP\GREGCAMP from GREGCAMP98 Returns 0xC000006A

This fails, the bad password count is incremented by one, and then Outlook presents the logon box.

10/17 09:36:11 [LOGON] SamLogon: Network logon of mydomain\gregcamp from GREGCAMP98 Entered
10/17 09:36:11 [LOGON] SamLogon: Network logon of mydomain\gregcamp from GREGCAMP98 Returns 0x0

The correct credentials are entered, the user successfully logs on, and the bad password count is reset to zero. The local credentials are then sent three more times; the bad password count is now at three.

10/17 09:36:12 [LOGON] SamLogon: Network logon of 9XWORKGROUP\GREGCAMP from GREGCAMP98 Entered
10/17 09:36:12 [LOGON] SamLogon: Network logon of 9XWORKGROUP\GREGCAMP from GREGCAMP98 Returns 0xC000006A

10/17 09:36:13 [LOGON] SamLogon: Network logon of 9XWORKGROUP\GREGCAMP from GREGCAMP98 Entered
10/17 09:36:13 [LOGON] SamLogon: Network logon of 9XWORKGROUP\GREGCAMP from GREGCAMP98 Returns 0xC000006A
10/17 09:36:15 [LOGON] SamLogon: Network logon of 9XWORKGROUP\GREGCAMP from GREGCAMP98 Entered
10/17 09:36:15 [LOGON] SamLogon: Network logon of 9XWORKGROUP\GREGCAMP from GREGCAMP98 Returns 0xC000006A

The correct credentials are then sent two more times, and the bad password count is reset to zero.

10/17 09:36:16 [LOGON] SamLogon: Network logon of mydomain\gregcamp from GREGCAMP98 Entered
10/17 09:36:16 [LOGON] SamLogon: Network logon of mydomain\gregcamp from GREGCAMP98 Returns 0x0
10/17 09:36:18 [LOGON] SamLogon: Network logon of mydomain\gregcamp from GREGCAMP98 Entered
10/17 09:36:18 [LOGON] SamLogon: Network logon of mydomain\gregcamp from GREGCAMP98 Returns 0x0

The bad credentials are entered two more times, and thus the bad password count is at two.

10/17 09:36:20 [LOGON] SamLogon: Network logon of 9XWORKGROUP\GREGCAMP from GREGCAMP98 Entered
10/17 09:36:20 [LOGON] SamLogon: Network logon of 9XWORKGROUP\GREGCAMP from GREGCAMP98 Returns 0xC000006A
10/17 09:36:23 [LOGON] SamLogon: Network logon of 9XWORKGROUP\GREGCAMP from GREGCAMP98 Entered
10/17 09:36:23 [LOGON] SamLogon: Network logon of 9XWORKGROUP\GREGCAMP from GREGCAMP98 Returns 0xC000006A

The good credentials are then entered two more times, and the bad password count is at zero.

10/17 09:36:26 [LOGON] SamLogon: Network logon of mydomain\gregcamp from GREGCAMP98 Entered
10/17 09:36:26 [LOGON] SamLogon: Network logon of mydomain\gregcamp from GREGCAMP98 Returns 0x0

The bad credentials are entered two more times, and the bad password count is at two.

10/17 09:36:28 [LOGON] SamLogon: Network logon of 9XWORKGROUP\GREGCAMP from GREGCAMP98 Entered
10/17 09:36:28 [LOGON] SamLogon: Network logon of 9XWORKGROUP\GREGCAMP from GREGCAMP98 Returns 0xC000006A
10/17 09:36:31 [LOGON] SamLogon: Network logon of 9XWORKGROUP\GREGCAMP from GREGCAMP98 Entered
10/17 09:36:31 [LOGON] SamLogon: Network logon of 9XWORKGROUP\GREGCAMP from GREGCAMP98 Returns 0xC000006A

Then the good credentials are entered two more times, which resets the bad password count to zero.

10/17 09:36:34 [LOGON] SamLogon: Network logon of unknown\gregcamp from GREGCAMP98 Entered
10/17 09:36:34 [LOGON] SamLogon: Network logon of unknown\gregcamp from GREGCAMP98 Returns 0x0

REFERENCES

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

189541 Using the Checked Netlogon.dll to Track Account Lockouts

Modification Type:MinorLast Reviewed:1/18/2006
Keywords:kbenv kbprb KB276541
©2004 Microsoft Corporation. All rights reserved.