Solved: Unity Connection reportedly locking out AD account

will.alvord · ‎03-20-2013

A sysadmin asked me to investigate this error. One user has had her AD locked out every evening and when the sysadmin followed up with MS, they pointed to Unity Connection due its address being listed in the 'source network address' field in this log entry. I've always tried to stay as far away from AD as I could which is biting me now. It seems highly unlikely that UC would be locking out a single user account each night, but I don't know how to confirm that. Ideally, I'd like to assist the sysadmin by pinpointing the real problem, but will settle for being able to confirm that it's not UC.

Any ideas?

An account failed to log on.

Subject:

Security ID: SYSTEM

Account Name: [dc$ - not sure what the $ represents]

Account Domain: [domain]

Logon ID: 0x3e7

Logon Type: 3

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: [userid]

Account Domain: [domain]

Failure Information:

Failure Reason: Unknown user name or bad password.

Status: 0xc000006d

Sub Status: 0xc000006a

Process Information:

Caller Process ID: 0x240

Caller Process Name: C:\Windows\System32\lsass.exe

Network Information:

Workstation Name: [primary dc]

Source Network Address: [unity connection]

Source Port: 57750

Detailed Authentication Information:

Logon Process: Advapi

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

Leo Salcie Tejeda · ‎03-20-2013

There's not way that Unity could be locking a User AD account when the user is not use for Unified Messaging or LDAP Sync..

Did you confirm the ip address from the server that they said is attempting to authenticate? The name [unity connection] could be assign for mistake to some unknow server...

Regards

Please rate all useful posts
Favor calificar todos las respuestas útiles.
___________________________________________
LinkedIn Profile: do.linkedin.com/in/leosalcie
MDGDP, CCNA, CCNA Voice, CCNP Voice Certified

__________________________________________________
Please remember to rate useful posts clicking on the stars below.
LinkedIn Profile: do.linkedin.com/in/leosalcie

View solution in original post

Leo Salcie Tejeda · ‎03-20-2013

Hi Will,

Are you running Unified Messaging or LDAP Sync? Maybe the account is use for one of these service and the password is wrong so maybe is tryng to attempt to authenticate the service. Just a thought...

Regards

Please rate all useful posts
Favor calificar todos las respuestas útiles.
___________________________________________
LinkedIn Profile: do.linkedin.com/in/leosalcie
MDGDP, CCNA, CCNA Voice, CCNP Voice Certified

__________________________________________________
Please remember to rate useful posts clicking on the stars below.
LinkedIn Profile: do.linkedin.com/in/leosalcie

will.alvord · ‎03-20-2013

LDAP sync, but that uses a dedicated account other than the user in question. I meant to mention that in the original post. Sorry about that. Also, this is only happening on a single account. I guess I could pull some traces and search for the userid. Think that would be enough to definitively confirm that the problem is elsewhere (assuming nothing is found)? Would that just be the cisco dirsync logs?

Leo Salcie Tejeda · ‎03-20-2013

There's not way that Unity could be locking a User AD account when the user is not use for Unified Messaging or LDAP Sync..

Did you confirm the ip address from the server that they said is attempting to authenticate? The name [unity connection] could be assign for mistake to some unknow server...

Regards

Please rate all useful posts
Favor calificar todos las respuestas útiles.
___________________________________________
LinkedIn Profile: do.linkedin.com/in/leosalcie
MDGDP, CCNA, CCNA Voice, CCNP Voice Certified

__________________________________________________
Please remember to rate useful posts clicking on the stars below.
LinkedIn Profile: do.linkedin.com/in/leosalcie

will.alvord · ‎03-20-2013

Yes it's the right address, but I'm not an MS server guy so I don't know if they're interpreting the log data correctly. I edited the log excerpt above for readability. So you're confident that there's no other reason why UC would try to authenticate to AD?

Leo Salcie Tejeda · ‎03-21-2013

Yes, I'm confident.

Please rate all useful posts
Favor calificar todos las respuestas útiles.
___________________________________________
LinkedIn Profile: do.linkedin.com/in/leosalcie
MDGDP, CCNA, CCNA Voice, CCNP Voice Certified

__________________________________________________
Please remember to rate useful posts clicking on the stars below.
LinkedIn Profile: do.linkedin.com/in/leosalcie

will.alvord · ‎03-22-2013

Thanks Pal. +5