Strange authentication behaviour on disabled account

  • Last Post 29 March 2016
n3ilb3 posted this 11 March 2016

Hi All,

Here's my scenario, I've a multi-domain forest.  User account app1 exists in mycompany.local, another user account also named app1 exists in child1.mycompany.local and is disabled.  Both accounts have the same password.

Application server Server1 exists in mycompany.local.  The application running on this server is using the account child1\app1 and was working fine.  Then child1\app1 was deleted, at which point the application broke.  

What I'm struggling to understand here is why the account was usable while it was in the disabled state.

Looking in the netlogon logs of the domain controllers in mycompany.local I can see the following...

[LOGON] SamLogon: Network lgon of child1\app1 from dc1 Entered

[CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000072)

[LOGON] SamLogon: Network lgon of child1\app1 from dc1 Returns 0x0.

To me that suggests that the mycompany.local DC recieves the logon request, sends it to a child1 DC, gets a response back saying the account is disabled, but then allows the logon because its local account with the same username and password are fine.

I'm struggling to come up with a google search to describe the issue so I've not found an explanation for the behaviour so far.

Has anyone ever come across this before?



kbatlive posted this 29 March 2016

Well…just a guess…could it be trying Kerberos first – which fails (forced over to the domain where the account is

disabled) – then falls back to lanman (second attempt) – which would locate the account in the current forest and validates it since the account/password works?