Check out - http://support.microsoft.com/default.aspx?scid=kb;EN-US;q264678 although I don't see the actual fix. CAUSE When the client attempts to authenticate the user with a resource, Windows 2000 first uses the Kerberos authentication method. If the Kerberos attempt does not succeed, the client then tries the Windows NT challenge/response (NTLM) authentication protocol. Each of these methods presents the user's credentials for authentication purposes. Therefore, if a user specifies an incorrect password, the user's account is "charged" twice for one authentication attempt.
Netlogon logging tracks only NTLM authentication attempts. To track invalid Kerberos logon attempts, you must use Kerberos logging. STATUS Microsoft has confirmed this to be a problem in the Microsoft products that are listed at the beginning of this article. ----- Original Message ----- From: "Linda Schlenker" <[EMAIL PROTECTED]> To: "NT 2000 Discussions" <[EMAIL PROTECTED]> Sent: Wednesday, January 02, 2002 1:48 PM Subject: RE: Mysterious account locking > something that is happening to us with Win2k is that there is a Kerberos > authentication attempted "under the covers" that we aren't using yet. This > takes 1 of the password attempts - the best that we can figure. So if > someone mistypes their passwords twice in a row - they fail before finishing > 3 attempt (our password limit is 5). > > > -----Original Message----- > From: Huot, Denyse [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 02, 2002 2:29 PM > To: NT 2000 Discussions > Subject: RE: Mysterious account locking > > > We had a similar problem here and that was because the users would save > their network passwords when they wanted to use any type of application > which required them to login. An example would be ftp; the user would have > to login to the proxy and then login to the ftp site with which they wanted > to go to. Because users don't like remembering passwords, they would save > their network login/pw so it would automagically login for them. So once > their network password would expire, their accounts kept getting locked out, > and ftp wasn't working anymore for them. > But the account locking didn't happen as soon as they changed their password > and tried to login, but it usually happened the same day they changed it. > > Hope this helps. > > Denyse > > > -----Original Message----- > From: Bruce Fyfe [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 02, 2002 2:42 PM > To: NT 2000 Discussions > Subject: Mysterious account locking > > After a user changes their password in a Win2K AD domain the acount gets > locked when they try to log on with the new password. At first I though > this was user error but it is happening every time. To correct it I > have to disable then re-enable the account. Currently I have one domain > controller. Any ideas? > > Bruce > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to [EMAIL PROTECTED] > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to [EMAIL PROTECTED] > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to [EMAIL PROTECTED] > ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
