AD account got locked out because of a hidden credential.

Posted by Hanson on June 19, 2019June 26, 2019

My admin account got locked out again. I thought I fixed this issue and posted an article at http://www.itreliable.com/wp/its-really-odd-ad-admin-account-got-locked-by-configuration-manager-health-evaluation-job/ But something still caused the issue, not as often as it was. I checked the time it happened and I found this event in the Event Viewer.

Subject:
Security ID: S-1-5-18
Account Name: DC201$
Account Domain: AD
Logon ID: 0x3e7

Account That Was Locked Out:
Security ID: S-1-2-234-23423423424-44XYXYX024
Account Name: myadminaccount

Additional Information:
Caller Computer Name: DC101

The called computer is a DC in different domain. I didn’t logon the server at the time. Then I logon that computer and check event log. I found Event ID 40960.

Source: LSA(LsaSrv)
Event ID:40960
Computer: DC101.ABC.LOCAL
The Security System detected an authentication error for the server HTTP/ut123.ad.abc.local. The failure code from authentication protocol Kerberos was "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.

But I don’t think I or anybody attempted to logon any server at the time. Then I saw another event log recorded 5 minutes before this one.

Source: Security-Kerberos
Event ID:14 The password stored in Credential Manager is invalid. This might be caused by the user changing the password from this computer or a different computer. To resolve this error, open Credential Manager in Control Panel, and reenter the password for the credential ad\myadmin

So the credential manager is the place to check. But I saw no any credentials after I opened Credential Manager from the control panel. It must be hidden!

I finally find an article talking about the same issue at https://social.technet.microsoft.com/Forums/ie/en-US/e1ef04fa-6aea-47fe-9392-45929239bd68/securitykerberos-event-id-14-credential-manager-causes-system-to-login-to-network-with-invalid?forum=w7itprosecurity

There are passwords that can be stored in the SYSTEM context that can’t be seen in the normal Credential Manager view. Download PsExec.exe from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it to C:\Windows\System32 .
From a command prompt run: psexec -i -s -d cmd.exe
From the new DOS window run: rundll32 keymgr.dll,KRShowKeyMgr
Now I could see the stored User Names and Passwords. I used it to install SCCM client a long time ago. It matched the event log that it was trying to contact the SCCM server when my account got locked.

Removed it and restarted the computer. Problem solved!