Hi,

I have a customer has the below issue:

After he changed their administrator account password on domain, event ID 4771 is continuously thrown in the security log in DCs. Below is a snapshot:

Also the below email alert from ADManager:

Alert     Message:         Login failure for User 'Administrator' in server.domain.local'.     Reason: 'Bad password'.         Severity:         Attention

Event Details
Domain	krbtgt/domain.LOCAL
Event Code	16
SID	%{S-1-5-21-428199501-1217283236-4064894256-500}
Client Host Name	Server.domain.local
Event Type	Failure
Remarks	Kerberos pre-authentication failed.
Logon Service	krbtgt/ domain.LOCAL
Domain Controller	DC.domain.local
User Name	Administrator
Client IP Address	IP
Failure Code	0x18
Logon Time	Apr 09,2015 11:42 AM
Failure Reason	Bad password
Record number	2197037173
Event Number	4771

They already changed the password for service accounts running using that admin account with new password. There is no issues in domain other than this, users can login and services are fine. However, account lockout policy is disabled and if it is enabled I think they will have a huge issue due to this Kerberos authentication failure.

Please help!

• Edited by Ahmad K. Jayyusi Thursday, April 09, 2015 12:39 PM

Hi your question is bit confused. But if you say you try changing the password for service account using your administrator password.

Please see right click on service account go to accounts tab  and see password never expired and user cannot change password option is check. also from your event id pasted above shows failure code as 0X18 which means bad password. Try and check above option and revert back.

Hi, password is already set never to expire in AD.

Also it is not only for administrator password, I can see in security log also:

security id: domain\computeraccount$

Account Name: computeraccount

Hi,

can you tell me since how long are you getting this events. Also how many DC's you have in your environment.

The 2 events you posted have different error codes.

Check the time of the computer failing pre-auth with the time on the DC holding PDC role

• Edited by aperelli Thursday, April 09, 2015 2:23 PM

since yesterday (the time of changing admin password). There is 6 DCs

The time is synced between all servers and DCs.

For clients, most of clients are synced with DC. I will check the time of the computer failing pre-auth with the time on the DC holding PDC role and revert back but most likely they are synced.

I'm saying this because 0x25 means Clock skew too great

REF: https://www.ietf.org/rfc/rfc4120.txt

• Edited by aperelli Thursday, April 09, 2015 2:08 PM

I will check time on that client machine but what about error code 0x18?

Hi,

That can be investigate once time synch issue is confirm?

KDC_ERR_PREAUTH_FAILED                24  Pre-authentication information was invalid

Could be "bad password" but also a bad timestamp which is included in the pre-authentication

What if you switch off the source computer that is reported in the event? If the event disappears then something should be running on this computer with the old credentials and you need to identify what it is: It could be a service, scheduled task, application ...

For time sync, I would recommend to refer to what I shared here for the configuration: http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx

I will try that but why these logs are getting logged after changing administrator password? Before that there were no logs related. Also source computer that is reported in the event is not limited to clients machines, but also domain controllers?

Hi,

Did you confirm the time sync issue?

The error code 0x25, means Workstations clock too far out of sync with the DCs , so i suggest you could check the time snyc of the computer failing pre-auth with DC firstly.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771

Similar threads has been discussed:

https://social.technet.microsoft.com/forums/windowsserver/en-US/245aa714-8f2f-4ea7-b2a1-dd447c02fa93/accounts-lockedout

Regards.

Hi,

Any update about the issue?

Regards.