ProxySG & Advanced Secure Gateway

 View Only

 bcaaa-realm.exe causing account lockout

Joseph Pergola's profile image
Joseph Pergola posted Oct 30, 2020 04:40 PM
having an issue where bcaaa-realm is locking out an account.
we cant find where its coming from.
any help would be great.
thanks
---
Log Name: Application
Source: BCAAA
Date: 10/30/2020 1:41:03 AM
Event ID: 1310
Task Category: (1)
Level: Information
Keywords: Classic
User: N/A
Computer: xxx.xxx.xx
Description:
[2868:7412] Failed NTLM Authentication for user: 'xxxx\xxxx'; status=1909:0x775:The referenced account is currently locked out and may not be logged on to.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="BCAAA" />
<EventID Qualifiers="16640">1310</EventID>
<Level>4</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-10-30T08:41:03.962193500Z" />
<EventRecordID>7803887</EventRecordID>
<Channel>Application</Channel>
<Computer>xxx.xxx.xx</Computer>
<Security />
</System>
<EventData>
<Data>[2868:7412] Failed NTLM Authentication for user: 'xxx\xxx'; status=1909:0x775:The referenced account is currently locked out and may not be logged on to.
</Data>
</EventData>
</Event>
----
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/30/2020 1:00:27 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: xxx.xxx.xxx
Description:
An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: xxx
Account Domain: xxx
Logon ID: 0x3E7

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: xxx
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0x1a34
Caller Process Name: C:\Program Files (x86)\Blue Coat Systems\BCAAA\bcaaa-realm.exe

Network Information:
Workstation Name: xxx
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2020-10-30T20:00:27.761518900Z" />
<EventRecordID>735054056</EventRecordID>
<Correlation ActivityID="{98776250-AAA5-0001-6662-7798A5AAD601}" />
<Execution ProcessID="684" ThreadID="1416" />
<Channel>Security</Channel>
<Computer>xxx.xx.xx</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">xxx</Data>
<Data Name="SubjectDomainName">xxx</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">xxxx</Data>
<Data Name="TargetDomainName">
</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc000006a</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Advapi </Data>
<Data Name="AuthenticationPackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
<Data Name="WorkstationName">xxxx</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1a34</Data>
<Data Name="ProcessName">C:\Program Files (x86)\Blue Coat Systems\BCAAA\bcaaa-realm.exe</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
Slava's profile image
Broadcom Employee Slava posted Nov 13, 2020 11:22 AM
Hello Joseph, 

Think of BCAAA as the Mail-man, that received the credentials provided by users computers and passes those on to the Active Directory (AD) for verification and validation. 
BCAAA has does not have the ability to say if the credentials are good or bad, it passes messages between the Proxy to AD and AD to Proxy, so if the AD returns Authentication Failed response then that is what the BCAAA will pass on to the proxy and proxy to the client and so on for the Correct Credentials.

Now looking at the data you have provided and taking a stroll on the web based on the Windows Event ID 4625 and the Event Status = 0xC0000064 that the computer received on his end, again BCAAA simply passed this information that was sent by the AD back to the user as per the information that the user has provided.
Found the following page that describes in details what does this event ID means: Public Resource (not Broadcom)

Basically what i am getting at is , that the root cause of the issue here is not the BCAAA , but the actual users computer that either is not sending any user credential when prompted for Auth by the proxy or is providing user credentials that does not exist on this Domain, or belongs to another domain that the Domain BCAAA is talking to is not in the trust relationship with the domain that the pc is joined.

Your best bet is to take a packet capture on the computer or on the proxy for the computer ip to see if the computer is passing any credentials at all etc.
Or check the AD logs for this event as the AD is making the decision that there is something wrong with the credentials, not BCAAA

However you can do a BCAAA debug if needed, but i am sure you will find the root cause by investigating the computer and the AD logs.

I hope this helps.
Slava