Comments (7)
  1. MrBIGmog says:

    “But if the authentication is coming from a third party device, it is possible that the field will be empty or contain an arbitrarily set value. We will deal with those in a further post.”

    Was this additional post ever made?

    1. It is drafted… Do you have the case? Mind sharing your input? We could co-write 🙂

  2. shovey says:

    “But if the authentication is coming from a third party device, it is possible that the field will be empty or contain an arbitrarily set value. We will deal with those in a further post.”

    It is drafted… Do you have the case?

    Did you ever get a case? I opened a ticket once but they couldn’t resolve it.

    1. For SMB for example, according to [MS-SRVS]: Server Service Remote Protocol https://msdn.microsoft.com/en-us/library/cc247080.aspx the client will provide the info to the server about its name (to built a session structure). This has to be either NULL or a string starting with \\. But really the client has the discretion on this. Samba clients for example have a parameter to override the smb.conf (see –netbiosname in https://www.samba.org/samba/docs/man/manpages-3/smbclient.1.html). And the DC just validate the credentials (event 4776), it just has access to whatever the NTLM security provider has access to, and in the NTLM pass-through process, the IP address of the client doesn’t seem to be a part of what the DC has available. I do not have any case I could build upon… I write my post based on what I get on my plate 🙂 If you have more info, feel free to email me, I’ll have a look at it and see if we can build something on it.)

      1. DFischerMN says:

        Has anyone figured out a way to track down a failed authentication from a non-windows SMB client that is not providing a valid computer name? I’m trying to track down failed authentication attempts that are reporting the computer name JCIFS20_88_73 which is a Java CIFS client.

        1. Yes. As suggested, you can enable the Account Lockout audit to have the event 4625 showing the actual IP address.

  3. Ghassan Arman says:

    I Just loved this article, finally Account locked out is demystified.
    Well done, and thank you very much.

    i was going crazy searching for how in the hell a domain user gets locked on a domain controller in production environment after searching every bit on schedule something with that user name.

Comments are closed.

Skip to main content