Hello,

My first post so lets see want i can learn.

Situation:
- WBT workstations
- 5 Citrix servers
- 1 File server also domaincontroller(VirtualMachine)
- 1 mailserver also an domaincontroller(VirtualMachine)

Accounts get lockout with the event on the fileserver: 675
This event shows the ip address of the citrix server where the user is logged on to.

The Citrix server gives 529, shows its logon process and is in this case 7064 and that relates to WINLOGON.

I have googled a lot but i can't find the solution to these lockouts.
I have the Microsoft lockout tools and used eventcombMT/alockout and run dcdiag. Also programs like kerbtray and MPS Reporting Tool for Directory Services & Security Support, but no luck for me.Also run a network monitor  from Microsoft.

Users do not even know why/when they are locked because it happens even when they are not behind the computer.
These events only come up in worktime.

Can anybody help me try to solve this issue?

-This week i will activate kerberos and netlogon logging-



-------------------------------------------------------------------
Event ID's and there information:

FILESERVER:

Event Type:    Failure Audit
Event Source:    Security
Event Category:    Account Logon
Event ID:    675
Date:        1-12-2008
Time:        12:04:32
User:        NT AUTHORITY\SYSTEM
Computer:    Fileserver-FS01
Description:
Pre-authentication failed:
    User Name:    kf
    User ID:        domain1\kf
    Service Name:    krbtgt/domain1
    Pre-Authentication Type:    0x2
    Failure Code:    0x18
    Client Address:    172.168.207.52


CITRIXSERVER, Dutch version of windows 2003, translated a bit:

Type gebeurtenis:    Failed
Bron van gebeurtenis:    Security
Categorie van gebeurtenis:    logon/logoff
Event-id    529
Date:        1-12-2008
Time:        12:04:32
User:        NT AUTHORITY\SYSTEM
Computer:    citrixserver-CTX03
Description:
Aanmeldingsfout:
    Cause:              unknown username or password     username:          kf
    Domein:              Domain1
    logontype:      7 *==> Unlock type*
    logonproces:      User32 
    Verificatiepakket:      Negotiate
    Name workstation:      Citrixserver-CTX03
    username caller: Citrixserver-CTX03$
    Domein callerr:      Domain1
    Aanmeldings-id aanroeper: (0x0,0x3E7)
    Proces-id caller:  7040 *==> This is WINLOGON *     Doorgezette services:       -
    Networkaddress source:      172.168.207.75 *address of terminal WBT client*
    Poort van source:          1039 -- pjverweij ------------------------------------------------------------------------ pjverweij's Profile: http://forums.techarena.in/members/pjverweij.htm View this thread: http://forums.techarena.in/active-directory/1080490.htmhttp://forums.techarena.in

Hello pjverweij,

Are all machine domain members? Are the domain controllers all VM's?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Show quoteHide quote

Yes all server computers are in the same domain, we only have 1 domain, WBT stations login as a citrix client and go futher to work on one of the servers.
It's also true that all domain controllers are virtual server VMware machines.
The fileserver is the PDC.
The citrix servers are not virtual, these are racket servers.

I will have a look at terminal clients , but logging on can always be done(Wyse clients) and they show up in the citrix and Active directory enviroment.
I also have looked at stored credentials at the citrix server: Stored password and user information but this is not for clients. -- pjverweij ------------------------------------------------------------------------ pjverweij's Profile: http://forums.techarena.in/members/pjverweij.htm View this thread: http://forums.techarena.in/active-directory/1080490.htmhttp://forums.techarena.in

The WBT terminals are getting an ip address from the file server, from there the ica client will connect the citrix farm. The farm will look at the server who are available so the user can logon to one who has the most rescources left.

The WBT stations are not in the domain they just getting a ip address with from the dhcp server. The citrix servers where they logon to are in the domain. -- pjverweij ------------------------------------------------------------------------ pjverweij's Profile: http://forums.techarena.in/members/pjverweij.htm View this thread: http://forums.techarena.in/active-directory/1080490.htmhttp://forums.techarena.in

Hello pjverweij,

I would suggest you post this also to:
microsoft.public.windows.terminal_services

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Show quoteHide quote

Damn, I have a very similar issue, if not the same. I have a Windows 2003 Xenapp 5 setup. When I open an ICA session to a server the published application will start, but every launch will log 2 bad password attempts at the Windows 2008 Domain Controller. My account will get locked out after 5 logons (policy is set to 10 bad pwd attempts). We use Kerberos Passthrough authentication as well. We have a ticket open at Citrix support, but they don't have a clue for the moment. It is very important for me to get this resolved within the coming week. -- bendewit ------------------------------------------------------------------------ bendewit's Profile: http://forums.techarena.in/members/bendewit.htm View this thread: http://forums.techarena.in/active-directory/1080490.htmhttp://forums.techarena.in

We have the exact same issue and i cannot find anything on the web. Did citrix ever get back to you and did you ever get this resolved? -- jfd7000 ------------------------------------------------------------------------ jfd7000's Profile: http://forums.techarena.in/members/216282.htm View this thread: http://forums.techarena.in/active-directory/1080490.htmhttp://forums.techarena.in

Hello jfd7000,

In the microsoft.public.windows.server.active_directory newsgroup this posting
isn't listed anymore, so please describe in detail the problem you have including
the OS version(SP/patch level) also with error messages or complete event
viewer errors.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Show quoteHide quote

Hi,

I am having the same issue as the member who posted before me.

I am asking the member if Citrix ever replied to the call that was raised by them. -- jfd7000 ------------------------------------------------------------------------ jfd7000's Profile: http://forums.techarena.in/members/216282.htm View this thread: http://forums.techarena.in/active-directory/1080490.htmhttp://forums.techarena.in

I have to agree with Meinolf, you should open a new thread but see the link
below.

http://www.pbbergs.com/windows/articles.htm
Select User Account Lockout Troubleshooting

Show quoteHide quote

error in generic host
Restore FSMO role holder
Library Not Registered
Retire a 2003 Domain Controller?
Trusts with external domain and Domain/Forest Functional Levels
Hide full path in Windows explorer of mapped drive
Applying GPO in W2K3 and W2K8 - Admin Question
WDS "stuff"
AD Get Username Script
Questions about domain time source