Hi,
I have a customer has the below issue:
After he changed their administrator account password on domain, event ID 4771 is continuously thrown in the security log in DCs. Below is a snapshot:
Also the below email alert from ADManager:
|
Event Details |
|
Domain | krbtgt/domain.LOCAL |
Event Code | 16 |
SID | %{S-1-5-21-428199501-1217283236-4064894256-500} |
Client Host Name | Server.domain.local |
Event Type | Failure |
Remarks | Kerberos pre-authentication failed. |
Logon Service | krbtgt/ domain.LOCAL |
Domain Controller | DC.domain.local |
User Name | Administrator |
Client IP Address | IP |
Failure Code | 0x18 |
Logon Time | Apr 09,2015 11:42 AM |
Failure Reason | Bad password |
Record number | 2197037173 |
Event Number | 4771 |
They already changed the password for service accounts running using that admin account with new password. There is no issues in domain other than this, users can login and services are fine. However, account lockout policy is disabled and if it is enabled I think they will have a huge issue due to this Kerberos authentication failure.
Please help!