question

MarkFairhurst-2510 avatar image
0 Votes"
MarkFairhurst-2510 asked MartinSojdr-1850 commented

Event ID 4776 / 0xc00006a

Hi

I am seeing lots of credential validation Audit Failures on one of our DC's from various accounts because of bad passwords. However, I have not had reports of lockouts from any of those accounts.

The strange thing is when I enable netlogon debug, the debug log does not show any errors and I see the accounts successfully validating credentials for the exact same timestamp.

Can anyone advise why these errors are been generated in the event log?
Example
Event log

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: svc_xxxxxx_emea
Source Workstation: xxxxxxxPT01
Error Code: 0xC000006A

10/28/2020 11:49:06 AM

Debug log

10/28 11:49:06 [LOGON] [7904] domainname: SamLogon: Transitive Network logon of domain\svc_xxxxxxx_emea from xxxxxxxPT01 (via E01WPBSSQ01) Entered
10/28 11:49:06 [LOGON] [7904] domainname: SamLogon: Transitive Network logon of domain\svc_xxxxxx_emea from xxxxxxxPT01 successfully handled on DC(UseHub is FALSE).
10/28 11:49:06 [LOGON] [7904] domainname: SamLogon: Transitive Network logon of domain\svc_xxxxxx_emea from xxxxxxxPT01 (via xxxxxxxSQ01) Returns 0x0

thanks in advance

windows-active-directory
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,

I am checking how the issue is going, if you still have any questions, please feel free to contact us.

Thank you so much for your time and support.

Best regards,
Hannah Xiong

0 Votes 0 ·

Have got exactly this combination of Event ID 4776 and error code 0xc00006a and it turned out to be due to an account past its expiration date.

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered

When a domain controller successfully authenticates a user via NTLM (instead of Kerberos), the DC logs the event 4776. The error code 0xC000006A does means Account logon with misspelled or bad password but not necessarily locked out.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776

--please don't forget to Accept as answer if the reply is helpful--


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarkFairhurst-2510 avatar image
0 Votes"
MarkFairhurst-2510 answered

thanks for the reply DSPatrick

Why I'm not seeing any errors in the debug log.

There are no 0xC000006A errors in the netlogon debug log which I don't understand.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

May need to double check you're capturing NTLM info
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000


--please don't forget to Accept as answer if the reply is helpful--







5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered

Hello,

Thank you so much for posting here.

This event generates every time that a credential validation occurs using NTLM authentication. It shows successful and unsuccessful credential validation attempts.

We would like to recheck whether there is any event 4740 reporting of any account lockouts near to the event 4776?

Through the 4776 event log, we can obtain the source workstation address, log in to the computer and refer to the below steps to check:

• Check the credential management to see if there are cached user’s old credentials
• Check if you have used the wrong password to mount the network disk
• Check whether the user has used the wrong password to start services, run scheduled tasks, etc.
• Are there other third-party programs that cache the user's wrong password

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.