Windows Discovery: Credential Lockouts Caused by Matching MID Server Service Account and Target Windows Local Account UsernamesIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Local User Accounts on target Windows Servers are observed to lock out during Discovery. Symptoms<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } If the local user account is used as the Service Account for a MID Server, this may cause the MID Server to fail to restart after an upgrade or restart process. If the local user account is used for discovery credentials, this will prevent successful discovery. The following event IDs on the target Windows host in the event viewer for the local user account: 4625 – Failed logon4740 – Account locked out Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } This is an environmental issue and therefore can happen for any version using a Windows MID Server for Discovery Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } This issue occurs when the MID Server Service Account is a local user, and matches the name of a local user on a target Windows Server. During Windows Discovery, the MID Server launches a basic PowerShell on the MID Server Host server in the context of its own service account. From here, it loads in the various modules required to complete Discovery, then it begins to iterate through the credentials to find a successful credential. For every credential attempted, a session is defined to the target server passing the credentials as a secure object. Due to Windows PowerShell behaviour, despite providing credentials there is always an attempt to connect first with "Pass Through" authentication, i.e., using the "service account" of the MID Server. As it is a local user, this is passed with the username format of: <midlocalhost>\<username> e.g., midTestHost1\localMIDUser Naturally, this is likely to fail and it proceeds to use the real credentials defined. This is Windows PowerShell behaviour and can not be prevented: Microsoft Documentation for this behaviour If the username portion of this matches a local user on the target server - even if the domain does not, it may count as a "Failed Logon" for that local user, and eventually trigger account lockout. This can be confirmed by reading the details of the EventID 4625: In EventID 4625, there is a "Status" and "SubStatus", which tells us how the logon was processed and the reason for denying logon: Microsoft Documentation for EventID 4625 Failure Information\Status orFailure Information\Sub Status0xC0000064 – "User logon with misspelled or bad user account".Especially if you get several of these events in a row, it can be a sign of a user enumeration attack.Failure Information\Status orFailure Information\Sub Status0xC000006A – "User logon with misspelled or bad password" for critical accounts or service accounts.Especially watch for a number of such events in a row. If the Status / Sub Status shows "Bad Password", rather than "misspelled or bad user account", then it must inherently mean that the logon attempt matched to the local user principle but was denied due to an incorrect password. This counts towards the failed logon attempt counter and eventually locks the target user. If the target user is used for Discovery credentials, a successful logon may reset the failed logon counter and make this a rare occurrence - however if the target user is never used for Discovery (for example, if two MIDs share the same username for local user accounts, and discover each other using different credentials) then the failed logon counter is never reset and this can become a common occurrence. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Avoid reusing the same username for local user MID Server service accounts.