0
Background: Windows 2008 R2 AD with single domain. Windows proxy authetication integrated. User account keeps locking down and Domain Controller event 4740 points to users' personal desktop. Looking for possible causes for the lockouts I see that it comes from the automatic update configuration of an application.
Question: This is quite usual for my company, employees that use their personal user accounts to set the application proxy update configuration. Once the password is expired for their account, they change the password leading to the user account lockout when the application try to check for possible updates.
I tried to find the lockout source with tools like Process Explorer and Process Monitor, but the processes for those tools are always run by the user and not the one set for the proxy configuration.
I also tried enabling the audit process tracking for the Windows Security Log, but it happens the same and the owner fo the processes is the one who run the application.
Is there any way to identify those kind of applications which are trying to check for updates via the proxy with a user account credentials?
Thank you.
fedayn
Posted 2016-07-28T10:38:39.763
Reputation: 41
When you look in the Event Viewer Security logs, look for entries around the time the lockout occurs. I've found event ID #4625 with the logon category which shows the account name which locks out the account due to logon failure attempts with a Caller Process Name that'll show the potential culprit contributing to the issue. What type of app is this, an ASP.net IIS web app, an EXE app with a config file, or what. It may be as simple as them needing to logoff the machine they changed their password on or deleting any cached credentials. How is the proxy setup for the authentication exactly – Pimp Juice IT – 2016-07-28T15:43:21.720
It's a Windows Integrated Authentication Proxy. The proxy talks with AD Domain Controllers and it allows the web navigation to the user depending on the AD security. The lockout happens at the the proxy machine level, it's a transitive network logon. That's the problem, the credentials are passed to the proxy machine, but the app process info isn't. It happens with several apps, most of them check for updates on the Internet. – fedayn – 2016-07-29T06:13:26.433