7 Replies Latest reply: Apr 1, 2014 6:12 AM by dbottino RSS

    Troubleshooting NTLM account lockouts


           I have a hand ful of users that are having their domain accounts locked out pretty frequently.  They swear they didn't save their credentials in anything (of course they didn't) but the lockouts keep coming.  So we ran altools and the bad passwords are coming from the web gateway which means some browser has bad creds cached in it.  The issue I have is I don't know how to trace this any further.

           Failed authentication log messages in MWG always list the user as '-' so that's no use.  What I really need to do is to be able to trace the request to the proxy with the bad credentials back to the IP/MAC/Hostname it came from.  Anyone have any ideas?

        • 1. Re: Troubleshooting NTLM account lockouts

          They are still logon somewhere on another station...  Dig in the log of the DC's

          • 2. Re: Troubleshooting NTLM account lockouts



            in case authentication fails MWG fills the property Authentication.FailureReason.ID. ID "3" is wrong password. I would try setting up an additional log which writes down all failed authentication attempts along with the IP address.




            • 3. Re: Troubleshooting NTLM account lockouts

              That got it.  Took me a minute to figure out how to make my own custom log but the Authentcation.FailureReason.ID seems to have done the trick.  This log now lists the userID correctly as well instead of just having "-" in the field.  Thanks!

              • 4. Re: Troubleshooting NTLM account lockouts

                Hi All,

                can you explain, please, how to set a custom logs that writes down all failed authentication attempts along with the IP address?


                thanks  a lot

                best regards

                • 5. Re: Troubleshooting NTLM account lockouts

                  It is a little involved.  Here is the basic outline, keep in mind it's been a while since I did this so I might miss a step.


                  First you need to create the log file itself. 

                  - Go to policy

                  - Click the settings tab

                  - On the left under 'Engines' find the 'File System Logging' section.

                  - Right click 'File System Logging' and click add.

                       I called mine FailedAuth.log for the file name.  Mostly I took the default settings with the exception of customizing my log rotation a little bit.


                  Now that you've got a log file you need to trigger something to actually write to it.  We do this from the Log Handler section under Rule Sets.  Here I highly reccomend copying another log handler.  The language on the event to write out the log is pretty specific and a little confusing so it's best to borrow where you can from already functioning rules. 


                  - Right click 'Default' at the top and click add, Rule Set.

                  - This is where the magic happens, select your new ruleset.  Click edit on the right hand pane.

                  - Under criteria add that property 'Authentication.FailureReason.ID' equals 3

                  - Once done there find a rule to borrow, i used the one from access denied log.  Click it and use the copy button to make a copy of it.

                  - Click on your ruleset and click paste.

                  - Almost there, now we just need to edit the rule slightly.  Highlight the rule and click edit.

                  - Under step 4 'Events' scroll all the way to the bottom.  There should be an event there for 'FileSystemLogging.WriteLogEntry'.  Double click that.

                  - On the right hand side of that window is a 'Settings' selection.  You should be able to select the new log you created in the first set of steps from here.


                  Make sure everything is enabled and save changes.  You shoulld be good to go.

                  • 6. Re: Troubleshooting NTLM account lockouts
                    Jon Scholten

                    Hi John and others,


                    Here is the ruleset you seek:


                    The attached ruleset is a log ruleset which will allow you to monitor for failed authentication attempts. The resulting log will be created and will be accessible under Troubleshooting > Log Files > badpassword.log.


                    You can import the ruleset under Policy > Rulesets > Log Handler (bottom left), then select the "Default" log handler, click "Add" > Ruleset From library, then "Import from File", and browse for the ruleset uncompressed ruleset xml attached.


                    Bad password log.png




                    • 7. Re: Troubleshooting NTLM account lockouts

                      Hi all,

                      thanks for the answer.