Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Type: Failure Audit|
The domain controller attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: xyzxyz
Source Workstation: Servername
Error Code: 0xc000006a
|English: Request a translation of the event description in plain English.|
Here are some of the commone error codes recorded with this event:
C0000064 - user name does not exist
C000006A - user name - is correct but the password is wrong
C0000234 - user is currently locked out
C0000072 - account is currently disabled
C000006F - user tried to logon outside his day of week or time of day restrictions
C0000070 - workstation restriction
C0000193 - account expiration
C0000071 - expired password
C0000224 - user is required to change password at next logon
C0000225 - evidently a bug in Windows and not a risk
In one situation, this event along with event id 4625 were being recorded 290 times per day, showing C:\Windows\System32\svchost.exe as the calling process and the admin account as the failing to login due to a wrong password. All the services were configured to run the Local System account. It turned out that the culprit was a batch file scheduled to run every 5 minutes using the Microsoft Task Scheduler. At some point, the admin password was changed and the task started failing at every run attempt. Once the password was updated, the messages stopped.
This event can be recorded if the screen is locked and the user is trying to "wake-up" the computer by pressing the Enter key. This is equivalent to entering a blank password (so the login would fail).
Error code 0xc000006a means that the username is correct, but the password is wrong.
One user was getting this when he tried to map a drive to a share located behind a firewall. According to the user, the problem was not the firewall but the local security policies.
In Security Settings\Local Policies\Security Options the option Network Security: LAN Manager authentication level was set to Send NTLMv2 Response only. Refuse LM & NTLM.
Once this was changed to Send LM & NTLM - use NTLMv2 session security if negotiated and he was able to use the local account credentials to map the drive from the server. Send NTLMv2 response only. Refuse LM also worked.
EV100172 (4776: The domain controller attempted to validate the credentials for an account) provides a description of this type of event and the various fields used in it.
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (1) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated