Account on anotherforest locks out same name account in myforest

Discussion in 'Active Directory' started by Marlon Brown, Feb 2, 2006.

  1. Marlon Brown

    Marlon Brown Guest

    I have MyInternalDomain and PerimeterDomain. Win2003SP1 AD on both sides,
    one-way trust PerimeterDomain trusts MyInternalDomain.

    One of the admins created the same SharepointPortal service account on
    MyIntenalDomain and PerimeterDomain.
    I mean, there is MyInternalDomain\SharepointAccount and
    PerimeterDomain\SharepointAccount. Note the accounts have identical names,
    but they are in separate forests.

    Somehow, this morning I learned that the MyInternalDomain\SharepointAccount
    got locked out.
    The logs I found on the "MyInternalDomain" Controllers related to
    "SharepointAccount" are the ones pasted below.

    The only explanation I can find for this, is that perhaps someone attempted
    to run a process as "MyInternalDomain\SharepointAccount" instead of
    "PerimeterDomain\Sharepoint" account in the Perimeter domain servers. Then
    it locked out.
    Do you agree this is the explanation or I am missing something here ?

    2/2/2006 9:48:36 AM Security Failure Audit Logon/Logoff 529 NT
    AUTHORITY\SYSTEM MyInternalDCName "Logon Failure:
    Reason: Unknown user name or bad password
    User Name: SHAREPOINTACCOUNT
    Domain: PERIMETERDOMAIN
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: PERIMETER-SERVER
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 172.20.2.35 (this is the IP address of the
    perimeter server).
     
    Marlon Brown, Feb 2, 2006
    #1
    1. Advertisements

  2. The only explanation I can find for this, is that perhaps someone
    That is a fair assumption. Install the account lockout tools (free download
    from Microsoft) and check that the bad auth packets are only coming from the
    perimeter server. If they are, check the services and DCOM components on
    that system to make sure that the correct credentials are being used.
     
    Paul Williams [MVP], Feb 3, 2006
    #2
    1. Advertisements

  3. Marlon Brown

    Krishna MR Guest

    As per my understanding in your senerio someone has tried to run the process
    as PerimeterDomain\SharePointService instead of
    MyInternalDomain\SharePointService account.
     
    Krishna MR, Feb 3, 2006
    #3
  4. Marlon Brown

    Marlon Brown Guest

    The only part that I can't understand, is why in the logs the event 529 I
    pasted below it appears Domain:pERIMETERDOMAIN ?
    I mean, if the account is running as "MyInternalDomain\Sharepointaccount",
    it should appear as "Domain:MyInternalDomain" in these logs, right ?

    Any chance or known bug that could make this happen just because I have
    accounts with the same name in both forests and somewhow it is getting this
    confused ?
     
    Marlon Brown, Feb 3, 2006
    #4
  5. How often is this occurring? If it is occurring frequently, you should
    first run a network trace (NETMON) to see what ports are being used when the
    bad auth is made. This might be able to track down what application is
    doing this. Next you need to run REGMON and see what reg keys are being
    read when the bad auth is sent. This will show you exactly what app is
    doing this. Then, you need to find out why the app is doing this. You can
    also check your firewall logs to see what traffic is passing through (and
    getting blocked) around the time of the event.

    I doubt this is a bug. Something is trying to hit your internal PC but
    doesn't have the credentials to do so.
     
    Paul Williams [MVP], Feb 4, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.