Outlook 2019 will cause Domain Controller to have 4776 / 4771 login failures

Topic

New Reply

Hello.  On some machines, about half of 7 in place, with Win10 1809 installed on Server 2016 domain accessing on-site Exchange 2016, a user will create every couple of seconds (sometimes with gaps) on the Server 2016 DC 4776 and 4771 login failures involving error code 0xC000006A / Failure code 0x18 – Type 2 whenever Outlook 2019 is active on the client (we are strictly on-site setup, with no MS365 services enabled).

What I’ve discovered so far:

• Client Machines were installed about a month ago, on brand new Dell Latitude running Win10 1809;
• Accessing other network devices from a user / client doesn’t result in any login / authentication errors being reported;
• If a person is “susceptible” to the above (and different users come and go), starting up Outlook 2019 starts the authentication failures alerts being recorded;
• A susceptible person authentication failure alerts immediately stop once they’re done for the day;
• Appears to be triggered after a regular password reset, though not consistent;
• The susceptible person isn’t aware there is an issue, and is able to work without any interruptions;
• There are no Event log entries recorded on the Win10 client;
• On one Outlook setup with multiple mailboxes, something happens that results in the person being locked out, but so this behaviour is only observed with the one person;
• Using Netwrix Lockout tool hasn’t given me any additional insight as to what could be causing the above.
• On Win10 1803, we do see the following behaviour with Outlook 2019 that has been in place since January 2019:

On occasion a Microsoft window will pop up that originates from Microsoft.AAD.BrokerPlugin.exe that asks for a login name / pasword;

• Trying to enter correct credentials results in an incorrect password message (regardless of the account type);
• Closing this window, then clicking on Outlook’s “Need Password” prompt at the bottom right border, results in Outlook connecting to the Exchange server;
• On the one person running Win10 1809 with occasionally being locked out, they’re prompted with the “Need Password” a couple of times per day (possibly when they dock / undock their workstation);
• Both the Win 10 1803 and Win 10 1809 examples, each user has access to multiple mailboxes (about 4).
• I’m aware about the “Outlook bypasses AutoDiscover” registry fix, which I’ve not tried yet, as I’m not sure if this is the same issue as what I’m describing above.

Any assistance would be appreciated in further diagnosing or getting the root cause of the issue.

Thank you,

IT Manager Geek

1 user thanked author for this post.

woody

Reply | Quote

Replies

Can you check your Exchange 2016 Server log for event 4625’s on the same (within a few seconds) timelines as the above AD security log events?

If you are getting them as well, then you may need to: (one at a time to see if fixed)

1) Make certain the clocks on the AD server, Exchange Server and workstations are synced to the correct time.

2) Check the Exchange self-generated local and public installed certificates for proper binding and expiration.

3) On the workstation, delete the stored Windows Credential in Credential Manager for Outlook 2019 – it will recreate itself the next time that user opens Outlook – which may prompt for their email address and password.

4) Reset the machine account for the workstation in AD.

 

 

~ Group "Weekend" ~

1 user thanked author for this post.

woody

Reply | Quote

NetDef, appreciate your feedback.  Here are the replies based on the same order / number:

Exchange server reports no login failures (hasn’t for many months / once we completed the setup);

1. Yes all clocks are in sync (did have a scenario where they weren’t but that was over a year ago, and no problems since);
2. Sorry, how would I go about checking the Exchange self-generated local & public certificates, as I’m not seeing any Event errors in regards to this (I go through the logs every couple of days);
3. Yes I’m going to try that tomorrow, had someone else suggest that after I posted it out into the Microsoft support community (though I’ve never encountered that issue in my 2 decades supporting Outlook, is this a new phenomena?);
4. I’ll leave that as a last resort, though I’m not sure how that has any particular bearing on this scenario.

Take care and thanks,

IT Manager Geek

Reply | Quote

For 2) Do “Get-ExchangeCertificate”

Per:   https://docs.microsoft.com/en-us/exchange/architecture/client-access/renew-certificates?view=exchserver-2019

 

4) Kerboros issues a token based on both the authenticated user and their machine account. If either are out of sync odd behavior ensues.

Personally, I’m leaning towards #3 . . .

~ Group "Weekend" ~

Reply | Quote

NetDef wrote:

Personally, I’m leaning towards #3 . . .

That would fit the pattern we’re occasionally seeing with cloud clients as well, Office applications having their stored credentials getting out of sync with the server side and having to manually clear the credential cache.

Reply | Quote