Windows account lockout error code (Netlogon, EventID, Kerberos)

Here some tables with authentication error code for quick understand what’s happpen

NETLOGON LOG ERROR CODEDESCRIPTION
0x0Successful login
0xC0000064The specified user does not exist
0xC000006AThe value provided as the current password is not correct
0xC000006CPassword policy not met
0xC000006DThe attempted logon is invalid due to a bad user name
0xC000006EUser account restriction has prevented successful login
0xC000006FThe user account has time restrictions and may not be logged onto at this time
0xC0000070The user is restricted and may not log on from the source workstation
0xC0000071The user account’s password has expired
0xC0000072The user account is currently disabled
0xC000009AInsufficient system resources
0xC0000193The user’s account has expired
0xC0000224User must change his password before he logs on the first time
0xC0000234The user account has been automatically locked
LOGON EVENT IDDESCRIPTION
528A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.
529Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
530Logon failure. A logon attempt was made, but the user account tried to log on outside of the allowed time.
531Logon failure. A logon attempt was made using a disabled account.
532Logon failure. A logon attempt was made using an expired account.
533Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer.
534Logon failure. The user attempted to log on with a type that is not allowed.
535Logon failure. The password for the specified account has expired.
536Logon failure. The Netlogon service is not active.
537Logon failure. The logon attempt failed for other reasons.
Note: In some cases, the reason for the logon failure may not be known.
538The logoff process was completed for a user.
539Logon failure. The account was locked out at the time the logon attempt was made.
540A user successfully logged on to a network.
541Main mode Internet Key Exchange (IKE) authentication
was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a
data channel.
542A data channel was terminated.
543Main mode was terminated.
Note: This might occur as a result of the time limit on the security association expiring, policy changes, or peer termination. (The default expiration time for security associations is eight hours.)
544Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.
545Main mode authentication failed because of a Kerberos failure or a password that is not valid.
546IKE security association establishment failed because
the peer sent a proposal that is not valid. A packet was received that contained data that is not valid.
547A failure occurred during an IKE handshake.
548Logon failure. The security identifier (SID) from a trusted domain does not match the account domain SID of the client.
549Logon failure. All SIDs that correspond to untrusted namespaces were filtered out during an authentication across forests.
550A denial-of-service attack may have taken place.
551A user initiated the logoff process.
552A user successfully logged on to a computer using explicit credentials while already logged on as a different user.
672An authentication service (AS) ticket was successfully issued and validated.
673A ticket-granting service (TGS) ticket was granted.
674A security principal renewed an AS ticket or TGS ticket.
675Preauthentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.
676Authentication ticket request failed. This event is not generated in Windows XP or in the Windows Server 2003 family.
677A TGS ticket was not granted. This event is not generated in Windows XP or in the Windows Server 2003 family.
678An account was successfully mapped to a domain account.
681Logon failure. A domain account logon was attempted. This event is not generated in Windows XP or in the Windows Server 2003 family.
682A user has reconnected to a disconnected terminal server session.
683A user disconnected a terminal server session without logging off.
Note: This event is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.
Event ID FieldComments
Event Type, Source,Category,ID,Date,and Timeself-explanatory
UserThe user account performing the logon. For example, this might be NT AUTHORITYSYSTEM,which is the LocalSystem account used to start many Windows 2000 services.
ComputerThe computer on which the event occurred
ReasonApplies to logon failures only; it’s the reason the account failed to log on.
User NameThe name of the user account attempting to log on
DomainThe domain of the user account attempting to log on.
Logon TypeA numeric value indicating the type of logon attempted. Possible values are:
2 – Interactive (interactively logged on)
3 – Network (accessed system via network)
4 – Batch (started as a batch job)
5 – Service (a Windows service started by service controller)
6 – Proxy (proxy logon; not used in Windows NT or Windows 2000)
7 – Unlock (unlock workstation)
8 – NetworkCleartext (network logon with cleartext credentials)
9 – NewCredentials (used by RunAs when the /netonly option is used)
Logon ProcessThe process performing the logon. The following are some example logon processes:
– Advapi (triggered by a call to LogonUser; LogonUser calls LsaLogonUser, and one of the arguments to LsaLogonUser, OriginName, identifies the origin of the logon attempt)
– User32 (normal Windows 2000 logon using WinLogon)
– SCMgr (Service Control Manager started a service)
– KsecDD (network connections to the SMB server-for example, when you use a NET USE command)
– Kerberos (the Kerberos Security Support Provider [SSP])
– NtlmSsp (the NTLM SSP)
– Seclogon (Secondary Logon-that is, the RunAs command)
– IIS (IIS performed the logon; generated when logging on the IUSR_machinename account or when using Digest or Basic authentication)
Authentication PackageThe security package called to attempt to log on the account. An authentication package is a dynamic-link library (DLL) that analyzes logon data and determines whether to authenticate an account. Most common examples are Kerberos, Negotiate, NTLM, and MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 (also called MSV1_0; authenticates users in the SAM database, supports pass-through authentication to accounts in trusted domains, and supports subauthentication packages) Workstation Name Workstation name, if known, used by the principal during logon.
KERBEROS ERROR NUMBERKERBEROS ERROR CODEDESCRIPTION
0x3KDC_ERR_BAD_PVNORequested protocol version number not supported.
0x6KDC_ERR_C_PRINCIPAL_UNKNOWNClient not found in Kerberos database.
0x7KDC_ERR_S_PRINCIPAL_UNKNOWNServer not found in Kerberos database.
0x8KDC_ERR_PRINCIPAL_NOT_UNIQUEMultiple principal entries in database.
0xAKDC_ERR_CANNOT_POSTDATETicket not eligible for postdating.
0xBKDC_ERR_NEVER_VALIDRequested start time is later than end time.
0xCKDC_ERR_POLICYKDC policy rejects request.
0xDKDC_ERR_BADOPTIONKDC cannot accommodate requested option.
0xEKDC_ERR_ETYPE_NOSUPPKDC has no support for encryption type.
0xFKDC_ERR_SUMTYPE_NOSUPPKDC has no support for checksum type.
0x10KDC_ERR_PADATA_TYPE_NOSUPPKDC has no support for pre-authentication data type.
0x12KDC_ERR_CLIENT_REVOKEDClient’s credentials have been revoked.
0x17KDC_ERR_KEY_EXPIREDPassword has expired – change password to reset.
0x18KDC_ERR_PREAUTH_FAILEDPre-authentication information was invalid.
0x19KDC_ERR_PREAUTH_REQUIREDAdditional pre-authentication required.
0x1BKDC_ERR_MUST_USE_USER2USERServer principal valid for user-to-user only.
0x1CKDC_ERR_PATH_NOT_ACCPETEDKDC Policy rejects transited path.
0x1DKDC_ERR_SVC_UNAVAILABLEA service is not available.
0x1FKRB_AP_ERR_BAD_INTEGRITYIntegrity check on decrypted field failed.
0x20KRB_AP_ERR_TKT_EXPIREDTicket expired.
0x21KRB_AP_ERR_TKT_NYVTicket not yet valid.
0x22KRB_AP_ERR_REPEATRequest is a replay.
0x23KRB_AP_ERR_NOT_USThe ticket isn’t for us.
0x24KRB_AP_ERR_BADMATCHTicket and authenticator do not match.
0x25KRB_AP_ERR_SKEWClock skew too great.
0x28KRB_AP_ERR_MSG_TYPEInvalid message type.
0x29KRB_AP_ERR_MODIFIEDMessage stream modified.
0x34KRB_ERR_RESPONSE_TOO_BIGResponse too big for UDP, retry with TCP.
0x3CKRB_ERR_GENERICGeneric error (description in e-text).
0x44KDC_ERR_WRONG_REALMUser-to-user TGT issued different KDC.

Reference: http://technet.microsoft.com/en-us/library/cc776964%28WS.10%29.aspx http://technet.microsoft.com/en-us/library/cc738673%28WS.10%29.aspx

Nav Malik

Add comment