SOLVED: Domain Joined Windows 10 Locking Out User Account Regularly

In these days we are doing internally a Windows 10 pilot. Some users (incl. me) had a strange issue with the user credential.

Environment:
Windows 10 x64 PC joined to Windows 2012 Functional Level Domain – Windows Server 2012 R2 DC’s.

The PC’s are domain joined, one having been part of the Windows Insider program for some time, and another an in-place upgrade from Windows 8.1 Enterprise. These PC’s are ruining Windows 10 Enterprise.

Scenario 1:
After a period of activity when a user returns to there PC and unlocks it, a short time later (a few minutes) the user is prompted with “Windows needs your current credentials“. After locking the PC, occasionally the PC will show that it is locked out. Further if the prompt for Windows needs your current credentials is ignored the account will often lock out a short time later.

Scenario 2:
Further, sometimes the prompt for “Windows needs your current credentials” is not received and the account locks out. Using AD Users and Computer and looking at the object modified time, it is possible to track to the DC which locked out the account and the reason why – Kerberos Pre-Authentication failed.

Workaround:
I changed my domain account properties for the pre authentication as shown below:

1

I ticked this option for the user account and it hasn’t locked out since.

I haven’t noticed any negative effects, but as it’s not the default I don’t consider it a solution. Microsoft communicated as a known issue and they are working on it.

Just because how Kerberos works I have had two troubles after the lifetime of my Kerberos ticket:

  • I didn’t have access to the network shares.
  • I couldn’t login into my Skype for business client.4

In that cases I had to log off from my computer. Then during the new login process I got a new ticket from the KDC and Ákos is happy again. 🙂

Solution:
With the following Cumulative Update for Windows 10 this issue is solved:
https://support.microsoft.com/en-us/kb/3097617

After installing this patch, the C:\Windows\System32\kerberos.dll file will be updated to version 10.0.10240.16542 and has the following date and time stamps:

Created: 21 October, 2015, 14:42:45 (about the time I installed the patch)
Modified: 25 September, 2015, 05:02:37 (probably when Microsoft recompiled the DLL)

According to the file listing available here: http://download.microsoft.com/download/2/8/3/2833b1c3-a700-4c02-90a9-fe4206c21828/3097617.csv

Don’t forget to reactivate the Kerberos pre-authentication option on your active directory account. 🙂

Leave a Reply

Your email address will not be published.