Troubleshoot Event ID 680

Troubleshooting Event ID 680 sometimes gets really tricky and I haven’t came across a good article which has described the process on how to start.

Many a times users account will keep on getting locked-out, there are few possibilities for this, like:

1. User save domain account username and password, and when the password is changed the saved credentials are not updated, the application which is using saved credentials is still sending the old password for authentication, but domain controller says I don’t have this credentials and the account lock-out.

2. User (IT admin) logs on the server via RDC and forgets to logoff. There are group policy (not sure which one, will update on this later) to logoff the user session after specified time period. In case if the GPO is not in place and the connect is disconnected instead of logging Off, and again the password change occurs, the account keeps locking out.

3. The scenario which I will document in this article is related to “Logon As” account for services.

Lets check what exactly is happening here.

Event Type:    Failure Audit
Event Source:    Security
Event Category:    Account Logon
Event ID:    680
Date:        10/31/2012
Time:        9:52:59 AM
User:        NT AUTHORITY\SYSTEM
Computer:    HQDC1
Description:
Logon attempt by:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account:    nadeem
Source Workstation:   
Error Code:    0xC0000064

Image-0016

The Error Code mentioned in Description says, “User name does not exist” Refer (http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=680)
The user account is nadeem. (one of the admin who was responsible for server hardware health check).

Source Workstation is Blank!!.. now how to track this event, from where the authentication is taking place?

To start troubleshooting we will 1st enabled the Logging of “NetLogon” service.
Logging has to be enabled on Domain Controller on which the event is getting logged, as the authentication is taking place on DC.

To enable Logging, go to command prompt and run:

nltest /dbflag:0x20000004

And restart “NetLogon” service

net stop netlogon
net start netlogon

Image-0013

Now, go to the location “C:\windows\Debug”
Here you will find “NetLogon.log” file, this is where the logging will recorded.
You can see in the log file, we can see the user authentication request is coming from a server named “HQANTIVIRUS”
Image-0014

So, we got the source server and its time to logon to the server and check it.

TIP: as soon as you logon check “Processes”tab under “Windows task manager” and find the Username along with the corresponding executable which is issuing authentication request

In this case, what I found was “hpsimsvc.exe” was showing username as “nadeem”

Next, I check the services.msc and found out the service is Logged on as “nadeem”
nadeem

Once, you fix this, the event will not show up Smile.

Let us disable the logging of NetLogon.
From command prompt run:

nltest /dbflag:0x0

And restart “NetLogon” service

net stop netlogon
net start netlogon

Image-0017

The local policy of this system does not permit you to login interactively

This is the most common problem that I have seen people facing when they need to manage remote client desktops in Active Directory environment, for example a user facing issues with his Outlook client and you need to troubleshoot from your desktop.
As the Outlook client is configured on domain user profile you will have to login using his credentials, yes I agree this is not suitable or agreed in organizations to use Users credentials but to get the users problem solved we can get the approvals.. right?

I am going to assume that “Allow users to connect remotely to this computer” option is enabled which can be found under “Remote” tab on “My Computer” properties. If this is not enabled you can set a GPO to achieve this.
All you computer accounts are in a separate OU, other than default “Computers”

You launch RDC and using the IP address or Host name connects to the remote desktop, when you try to login using Users credentials error pops-up saying The local Policy of this system does not permit you to login interactively
  

Lets start from our AD and create a GPO named as Interactive logon policy which will be applied to the OU where we have all our computer accounts.

Once created, we will edit this policy by right clicking on it and select “Edit…” option.
 

Now, browse in left pane to Computer Configuration – Windows settings – Security Settings – Local Policies – User Rights Assignment.
Select “Allow log on through Terminal Services” double click to modify, Enable check mark “Define this policy settings” and Click on “Add User and Group” button. Enter Domainname\Domain Users and click OK.
 
Why we used “Domain Users” group? any user that we create in AD is by default member of Domain Users group, and we want this policy to be applied to all users, as we are not sure which user will face problem..

Ok, now GPO is created and you restart the client system for the policy to be applied.
Now when you try to log in again use RDC you will be getting another Error “You do not have access to logon to this session”
 

Now what!!?
Ok, this is coz the user is not member of “Remote Desktop Users” group on the clients desktop.
So once again lets use GPO to add “Domain Users” group to “Remote Desktop Users” group on all desktops on network.

Edit the GPO that we created in our previous step, in the left pane browse to Computer Configuration – Windows Settings – Security Settings – Restricted Groups.
Right click on “Restricted Groups” and select “Add group…” option.

Enter “Domain-name\Domain Users” as we want to configure this policy for all users. and click OK.

In the configuration window under “This group is a member of” section Add “Remote Desktop Users

What this will do is Add Domain users group to remote desktop users group, if you login to users desktop using administrator credentials and check the Remote desktop users group, you can see Domain users as its member, once the policy is applied to computer.

Now logon using Users credentials will be successful.