Hi,
I recently noticed that two separate Windows 11 machines joined to my
domain are not letting me log in to them as a domain user. In the
Windows Security event log I can see 'Audit Failure' - 'An account
failed to log on'. Details shown are: 'Account for which logon
failed'
- 'Security ID: NULL SID'; 'Account Name: myusername';
'Account
Domain: mydomain'. In the 'Failure Information' it shows me
'Failure
Reason: An error occurred during logon'; 'Status: 0xC000006D';
'Sub
Status: 0x0'
Has anyone else experienced this - is it just me?
I wonder if I need to maybe rejoin these machines to the domain as
Windows 11 has got confused somehow.
I tried from a Windows 10 machine and that was fine, so I'm currently
thinking there is some difference with Windows 11 but I'm not entirely
sure where to go next.
This comes after I have recently upgraded all my DCs to 4.20.x,
although I expect that is purely coincidental and the issue might well
be a recent Windows update or similar.
I happen to have extra logging turned on on one of my DCs, and did see
some messages in the log at the same time I tried to log in.
An example is below; I saw the same status code of
NT_STATUS_TIME_DIFFERENCE_AT_DC against the user account as well as
the computer account which is shown in the log extract below. NTP
(well, chrony) is running on the DC and the time on the client looks
to be reasonably correct (within 10-20 seconds), so I'm not sure
what/where the time difference is..
Interestingly on one of the Windows 11 machines in question, it's a
laptop and if I pull out the network cable I can still log in with
cached credentials. But Windows then shows a message after a while,
asking me to lock the computer with ctl-alt-del and unlock it.. after
doing that, I can no longer log in, until I power cycle the laptop and
log in with cached credentials again. (The other machine I've seen
this on is a desktop in a cupboard and I can't easily carry out the
same test)
Samba log extract (sanitised):
"eventId": 4625, "logonId": "nnnnnnnnnn",
"logonType": 3, "status":
"NT_STATUS_TIME_DIFFERENCE_AT_DC", "localAddress": null,
"remoteAddress": "ipv4:1.2.3.4",
"serviceDescription": "Kerberos KDC",
"authDescription": "ENC-TS Pre-authentication",
"clientDomain": null,
"clientAccount": "computer$@mydomain.org.uk",
"workstation":
"becameAccount": "COMPUTER$", "becameDomain":
"MYDOMAIN", "becameSid":
"S-1-5-21-nnnn-yyyy-zzzz-xxxx", "mappedAccount":
"COMPUTER$",
"mappedDomain": "MYDOMAIN", "onComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null,
"passwordType": "aess-hmac-sha1-96",
"clientPolicyAccessCheck": null,
"serverPolicyAccessCheck": null, "duration": 38190
Before I try rejoining the machines to the domain, I thought I'd ask
if anyone else has experienced similar recently..
Thanks,
Jonathan
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein