1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Resolved Attempted Downgrade Attack

Discussion in 'Networks' started by Dave_unemployed, May 20, 2010.

  1. Dave_unemployed

    Dave_unemployed Nibble Poster

    Hope someone can help me with this little problem:

    The Security System detected an attempted downgrade
    attack for server xxxxxxx. The failure code from
    authentication protocol Kerberos was "The user account
    has been automatically locked because too many invalid
    logon attempts or password change attempts have been

    The account will be locked out until i reset his password.
    Nothing in event viewer that can pin point the possible
    cause of this. The last thing i want is to wipe the HDD
    and resinstall.

    At first i thought it was a virus, but our virrus/malware
    scanner comes up empty.
    I'm thinking a service might be causing this problem
    but if anyone has a suggestions will be much appreciated!

    Last edited: May 20, 2010
    Certifications: A+, N+, MCP and MCDST
    WIP: 70-680
  2. SimonD

    SimonD Terabyte Poster Moderator

    Service account password been changed recently and not all machines updated with the new password?
    You should be able to tell by the account name whether it's a service account or not (assuming you know all your service accounts).

    It could also be an existing terminal session thats logged in but disconnected, or even a share using those credentials.
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
    WIP: VCP6-CMA, VCAP-DCD and Linux + (and possibly VCIX-NV).
  3. Dave_unemployed

    Dave_unemployed Nibble Poster

    Thanks, we finally solved the problem. There were 2 services running that was attempting to authenticate with the server which triggered the lock out of the account.

    Certifications: A+, N+, MCP and MCDST
    WIP: 70-680

Share This Page