In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

 Objective   

This article explains how to use the Logon Failure analyzer in ADAudit Plus to find the root cause of user logon failures by locating resources with stale or incorrect cached credentials.

 Prerequisites   

• The source machine where the logon failure is reported must be a part of the configured domain.

• The service account used by ADAudit Plus should have domain admin rights.

• The source machine must be on the same network as the ADAudit Plus server.

• The "Audit Kerberos Authentication Service" policy must be enabled for "Success" and "Failure" on the domain controllers.

 Steps to follow   

 Step 1: Access the Logon Failure Analyzer   

1. Navigate to the Active Directory tab > Auditing > User Logon Reports > Logon Failure report.

2. In the report, locate the Analyzer Details column and click the Details hyperlink for a specific event.

3. If this column is not visible, click the Add/Remove Columns option in the top-right corner and add the column to the view.

 Step 2: Understand the analyzer   

The Logon Failure analyzer helps identify the root cause of a logon failure by locating probable resources (such as services, mapped drives, or ActiveSync-enabled devices) where the account in question has been configured with stale credentials.

ADAudit Plus monitors the following Windows components to find the source of the failure:

• Windows Services

• Scheduled Tasks

• Network Drive Mappings

• Logon Sessions

• COM Objects

• Process List

• Applications

• OWA

• ActiveSync

 Step 3: Troubleshoot if the report is empty   

If the Logon Failure report is empty, verify that the required audit policy is enabled on your domain controllers.

1. On a domain controller, open Command Prompt in elevated mode.

2. Execute the command auditpol /get /category:* and check the Account Logon subcategory to confirm that Audit Kerberos Authentication Service is enabled for Success and Failure.

3. If the policy is not enabled, open the Group Policy Management Console and edit the Default domain controller policy GPO.

4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon.

5. Double-click the Audit Kerberos Authentication Service policy, check the Define these policy settings box, and then check the Success and Failure boxes.

6. Click Apply, then and OK.

7. Force an immediate policy update by running the command gpupdate /force in an elevated Command Prompt.

 Validation and confirmation   

• After accessing the analyzer, review the listed components to identify the source of the logon failure.

• The analyzer details should point to a specific service, task, or session where stale credentials are being used, helping you to remedy the issue.

 Tips   

• The analyzer only monitors the nine Windows components specified above; if the failure is from a different source, it may not be identified.

• If the cause is not found, you may need to review the source machine manually. Try checking the Windows Credential Manager and rebooting the device once to clear cached logon sessions.

• Other potential sources of cached credentials to investigate include:

• Stale credentials for Windows Service accounts.1

• Stale credentials used to run Scheduled tasks.2

• Multiple Citrix XenApp or Remote Desktop Services sessions open when a user initiates a password change.3

• Users logged into multiple computers when initiating a password change.4

• Disconnected Citrix XenApp or Remote Desktop Services sessions that are not configured to timeout.5

• Administrative Remote Desktop Connections to Windows servers left disconnected.6

• Applications with their own credential stores that authenticate against Active Directory with stale credentials.7

 Related topics and articles   

• How to view user logon and logoff times in ADAudit Plus