Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 14 Source: Kerberos

Source
Level
Description
There were password errors using the Credential Manager. To remedy launch the Stored User Names and Passwords control panel applet and reenter the password for the credential <username>.
Comments
 
In my case, Windows XP SP2 was getting application event IDs 4226, 40961, 40960 for one end user only.  The user was able to logon to the domain but the domain account would then get locked out right away. The user was also unable to map drives and access domain resources once the account was unlocked. The user stated this all happened when it was time for him to change his domain password. (Windows 2003 Domain)  The user's domain account was not a privileged account on the workstation.  

Based on info in this link and others, we checked the "User Accounts" in Control Panel and found one entry for his domain account. We removed the entry and rebooted with no luck. We removed the workstation from the domain and re-joined but still, no results. Added the end user to the local Administrators group, reboot and logged back in to the domain. Went back to "User Accounts" in Control Panel and there was another entry for his domain account. Highlighted his account name and then clicked on the Advanced Tab and then click on "Managed Passwords" and found all kinds of line entries for server paths and such. Removed them all and then removed his account name. Rebooted the workstation and he was able to log in to the domain and access domain resources once again.

The key was adding the user's domain account to the local administrators group to see the remaining entry for his "Manage Passwords" entries.
Microsoft has several good articles on how to manage stored user names and passwords depending on whether or not your system is part of a domain. For WinXP systems bound to a domain, see ME306992. For WinXP systems not part of a domain, see ME306541.
See the link to "How to launch Stored User Names and Passwords applet" for a command used to launch Stored User Names and Passwords applet.
Rob's comments about client credentials disappearing were very helpful in pointing me in the right direction to solve this issue. Instead of deleting and re-adding the computer & account, etc. from the domain, I just temporarily gave the client administrative privileges and I was able to find the stored user name info when I logged in as the user (It did not show up when I was logged in any other way; even with admin privileges). Once I found and deleted the stored credentials, I removed admin privileges and was able to log in normally without the authentication problems.
A user suddenly could not connect to shared/mapped drives on the DC although he could log onto the DC with no problem, and could access shares on the NT4 member servers. The DC was also the Exchange server (SBS2k). The user was prompted to fill in user details every time he opened Outlook. On the server EventID 675 from source Security started to show up. On the PC EventID 1030 from source Userenv, EventID 1006 from source Userenv and EventID 40961 from source LsaSrv appeared. The user could log into other PCs fine and other users could be added to the problem PC and access drives fine. I thought this was because of stored password credentials, however there was nothing listed under “Manage Passwords” (see EventID 1006 from source Userenv, comments by Tristen and Sean). Then, I removed the PC from the domain, I deleted the account and cleared the DNS/DHCP entries. I rejoined the domain and this event appeared in the log. Looked back in “Manage Passwords” and there were passwords present now. I deleted those and the problem was resolved.


Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...