Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, January 7, 2016 1:03 AM
I've found that here at work, 90% of the times a user reports that their account is continually locking out, I find that they have a disconnected RDP session on any server on the network, which has been disconnected for say, 168 days (that was the last user). I asked this user to log into their disconnected session on this particular server and when he did, there was nothing opened, no mapped drives, nudda. The user then logged out of the server and his account was OK going-forward.
My question is thus, why would his account be continually locking out when the RDP session is in a disconnected (inactive?) state?
Here's the event which was triggered at the same time:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 7/01/2016 11:03:49 AM
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: MyADServer.MyDomain.com
Description:
Kerberos pre-authentication failed.
Account Information:
Security ID: MyDomain\LockedOutUserName
Account Name: LockedOutUserName
Service Information:
Service Name: krbtgt/MyDomain.com
Network Information:
Client Address: ::ffff:IP_Of_Server_With_RDP_Session
Client Port: 53106
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2016-01-07T00:03:49.744907900Z" />
<EventRecordID>391583405</EventRecordID>
<Correlation />
<Execution ProcessID="532" ThreadID="856" />
<Channel>Security</Channel>
<Computer>MyADServer.MyDomain.com</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">LockedOutUserName</Data>
<Data Name="TargetSid">S-1-5-21-1469019637-268265805-317593308-189172</Data>
<Data Name="ServiceName">krbtgt/MyDomain.com</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x18</Data>
<Data Name="PreAuthType">2</Data>
<Data Name="IpAddress">::ffff:IP_Of_Server_With_RDP_Session</Data>
<Data Name="IpPort">53106</Data>
<Data Name="CertIssuerName">
</Data>
<Data Name="CertSerialNumber">
</Data>
<Data Name="CertThumbprint">
</Data>
</EventData>
</Event>
On the server with the disconnected RDP session, I can see the following events:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 7/01/2016 11:03:52 AM
Event ID: 1006
Task Category: None
Level: Error
Keywords:
User: MyDomain\LockedOutUserName
Computer: Server_With_RDP_Session.MyDomain.com
Description:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
<EventID>1006</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-01-07T00:03:52.097167800Z" />
<EventRecordID>138881</EventRecordID>
<Correlation ActivityID="{C2BA876F-BC40-496F-9E81-634723E5ECD8}" />
<Execution ProcessID="184" ThreadID="5688" />
<Channel>System</Channel>
<Computer>Server_With_RDP_Session.MyDomain.com</Computer>
<Security UserID="S-1-5-21-1469019637-268265805-317593308-189172" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">5012</Data>
<Data Name="ProcessingMode">0</Data>
<Data Name="ProcessingTimeInMilliseconds">2340</Data>
<Data Name="ErrorCode">49</Data>
<Data Name="ErrorDescription">Invalid Credentials</Data>
<Data Name="DCName">
</Data>
</EventData>
</Event>
| +-- JDMils |
All replies (4)
Friday, January 8, 2016 6:49 AM ✅Answered
Hi,
My question is thus, why would his account be continually locking out when the RDP session is in a disconnected (inactive?) state?
As far as I know, even though the RDP session is disconnected by the user, remote system still maintains a logon session for this user, during this logon session there might be a running process that accesses network resources with outdated authentication information.
To avoid such issue in the future, you may configure session time limits group policy setting to end disconnected/idle RDP sessions, the setting is under
User Configuration or Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits.
More information for you:
Troubleshooting Account Lockout
https://technet.microsoft.com/en-us/library/cc773155%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
Session Time Limits
https://technet.microsoft.com/en-us/library/ee791886%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, February 1, 2016 9:27 PM ✅Answered | 1 vote
I'm not sure if this makes a difference, but here at work we have web developers who simply RDP to servers in order to fix web site issues, and it is these RDP sessions which are causing issues because the users are not logging out correctly. So the problem is not related to terminal/RDS servers.
| +-- JDMils |
Tuesday, January 12, 2016 11:30 AM
Thanks Amy. I will bring up the Session Time Limits with my manager as a possible fix, but I'd really like to understand why the accounts are locking on disconnect sessions. Is there any way to find this info out?
| +-- JDMils |
Wednesday, January 13, 2016 3:00 AM
Hi,
On the RD Session Host server which hosts the remote desktop session, under Task Manager -> Users, you can view all processes that are running within the remote desktop user's session.
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].