Event ID 4776 / 0xc00006a

Question

Hi

I am seeing lots of credential validation Audit Failures on one of our DC's from various accounts because of bad passwords. However, I have not had reports of lockouts from any of those accounts.

The strange thing is when I enable netlogon debug, the debug log does not show any errors and I see the accounts successfully validating credentials for the exact same timestamp.

Can anyone advise why these errors are been generated in the event log?
Example
Event log

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: svc_xxxxxx_emea
Source Workstation: xxxxxxxPT01
Error Code: 0xC000006A

10/28/2020 11:49:06 AM

Debug log

10/28 11:49:06 [LOGON] [7904] domainname: SamLogon: Transitive Network logon of domain\svc_xxxxxxx_emea from xxxxxxxPT01 (via E01WPBSSQ01) Entered
10/28 11:49:06 [LOGON] [7904] domainname: SamLogon: Transitive Network logon of domain\svc_xxxxxx_emea from xxxxxxxPT01 successfully handled on DC(UseHub is FALSE).
10/28 11:49:06 [LOGON] [7904] domainname: SamLogon: Transitive Network logon of domain\svc_xxxxxx_emea from xxxxxxxPT01 (via xxxxxxxSQ01) Returns 0x0

thanks in advance

Answer 1

When a domain controller successfully authenticates a user via NTLM (instead of Kerberos), the DC logs the event 4776. The error code 0xC000006A does means Account logon with misspelled or bad password but not necessarily locked out.
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776

--please don't forget to Accept as answer if the reply is helpful--

Answer 2

thanks for the reply DSPatrick

Why I'm not seeing any errors in the debug log.

There are no 0xC000006A errors in the netlogon debug log which I don't understand.

Answer 3

May need to double check you're capturing NTLM info
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000

--please don't forget to Accept as answer if the reply is helpful--

Answer 4

Hello,

Thank you so much for posting here.

This event generates every time that a credential validation occurs using NTLM authentication. It shows successful and unsuccessful credential validation attempts.

We would like to recheck whether there is any event 4740 reporting of any account lockouts near to the event 4776?

Through the 4776 event log, we can obtain the source workstation address, log in to the computer and refer to the below steps to check:

• Check the credential management to see if there are cached user’s old credentials
• Check if you have used the wrong password to mount the network disk
• Check whether the user has used the wrong password to start services, run scheduled tasks, etc.
• Are there other third-party programs that cache the user's wrong password

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 5

Few such similar questions I see posted, none of the answers so far explained why there were thousands of authentication attempts in the first place. Those who posted questions also did not follow up with outcome. Other people with similar issues are still in darkness. If there is an answer why so many attempts, please post the link here.