Microsoft_authentication_package_v1_0



Authentication Package: MICROSOFTAUTHENTICATIONPACKAGEV10 Workstation Name: Caller User Name: ITAD1$. Microsoft provides the MSV10 authentication package for local machine logons that do not require custom authentication. The Local Security Authority (LSA) calls the MSV10 authentication package to process logon data collected by the GINA for the Winlogon logon process. Authentication Package: Always 'MICROSOFTAUTHENTICATIONPACKAGEV10' Logon Account: name of the account Source Workstation: computer name where logon attempt originated. Free Security Log Resources by Randy. Free Security Log Quick Reference Chart; Windows Event Collection: Supercharger Free Edtion; Free Active Directory Change Auditing Solution.

-->

Windows authentication packages provide authentication services by implementing package-specific functionality for the LsaLogonUser and LsaCallAuthenticationPackage functions provided by the LSA.

MSV1_0 is an example of a Windows authentication package. The MSV1_0 package accepts a user name and a hashed password, which it looks up in the Security Accounts Manager (SAM) database. Depending on the results of the lookup, the MSV1_0 authentication package accepts or rejects the authentication attempt.

Microsoft_authentication_package_v1_0

For a list of the support functions the LSA provides for use by Windows authentication packages that require system services, see LSA Functions Called by Authentication Packages.

Microsoft_authentication_package_v1_0 Locking Account

Windows authentication packages must implement a set of functions that are called by the LSA. For the complete list of functions, see Functions Implemented by Authentication Packages.

Today, I had the lovely experience in trying to troubleshoot why a users account was locking out of the domain every 30 seconds. Inside of event viewer, I could see the account failing to login, but I had the most generic, useless, log to help track down what was going on.

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: username
Source Workstation:
Error Code: 0xc000006a

Microsoft_authentication_package_v1_0

Scrolling through my logs, the only other thing I was was the error code switching from from a 0xc000006a to a 0xc000234. Even though this is beyond the scope of this document, here are what those codes mean:

0xc000006a – An invalid attempt to login has been made by the following user.

Microsoft_authentication_package_v1_0

0xc0000234 – The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.

Anyways, after scrolling through event viewer on my domain controllers, trying LockoutStatus.exe, and asking the user to power off their mobile devices, workstations, etc, in a desperate act, the error still peristed. Finally I came across the holy grail of Microsoft articles: http://support.microsoft.com/kb/109626/en-us

Solution: We had to put the domain controller in verbose logging for the netlogon service to actually find out where the logon attempt was coming from.

First, open up command prompt as an administrator and execute the following command:

nltest /dbflag:0x2080ffff

Once done, execute the following command to turn off the debugging:

Microsoft_authentication_package_v1_0

Microsoft_authentication_package_v1_0 Logon Account

nltest /dbflag:0x0

Microsoft_authentication_package_v1_0 Administrator

This logs every transaction made to the file: %windir%debugnetlogon.log (note, you need to run notepad as an administrator to read this file).

Microsoft_authentication_package_v1_0 Audit Failure 4776

Inside of there, find the logon attempt made by the user and it should list the workstation it came from. In this case, the logon attempt was coming from our NPS server, which then was coming from an old laptop he had logged into and left alone for a few months.