5 Replies Latest reply on Nov 30, 2016 4:59 AM by Frank Wils

    what causes cba_anonymous domain account to lock?

    Apprentice

      LDMS 9.6 SP3. Windows 2012 R2 domain, Windows 7 Pro desktops.  After upgrading to SP3, we began experiencing issues with the common base agent not being loaded.

       

      There is a local cba_anonymous account on each workstation.  We had to remove it from the local Guests group on each domain desktop computer in order to get the common base agent to load on the desktops.  On some of the member servers, we were having the same issue, and corrected it the same way.  However, on the domain controllers, there are no local users; only domain users.  There is a domain cba_anonymous account.  It is a member of the domain users group.  I noticed that the account was locked out, as if it was trying to authenticate with the wrong password.  I unlocked it, and for a few minutes I noticed the common base agent was loading again on the servers like it should.  So I thought we had everything working again... but then the cba_anonymous account became locked again.  Something is causing it to lock - I checked the event logs but it was not much help.  Does anyone have any ideas as to what is causing it to lock out?

       

      Many thanks,

      Sam S.

        • 1. Re: what causes cba_anonymous domain account to lock?
          Apprentice

          I thouight maybe I had found something.  We have 4 read-only domain controllers, and each of these RODCs were experiencing the issue with the common base agent not loading.  So I thought maybe I needed to add the cba_anonymous domain account to the allowed RODC Password Replication Group, and then cache the password of the cba_anonymous domain account to each RODC.  I did this, but unfortunately that did not fix the problem.  I can get the common base agent to load on 2 of the 7 domain controllers, and each of these 2 DCs are writeable domain controllers.  The 4 RODCs and one writeable DC are still not loading the common base agent.  I thought I might have found the issue, but it appears I am still in the dark.

          • 2. Re: what causes cba_anonymous domain account to lock?
            phoffmann SupportEmployee

            So - regular event logs aren't going to help you - you need to enable the auditing of authentication logs (on the DC) to see what's going on. That'll at least give you some indication as to what's going on.

             

            CBA_ANONYMOUS is a bit of an interesting affair on a DC, due to DC's not having this concept of a "local user" (heaven knows why, I never got how that's a good design decision, but ... oh well). Could fall afoul of various password policies potentially - or just "run out" password-wise.

             

            IF POSSIBLE ... try unlocking the CBA account on a DC & rebooting it (which should change the CBA password) ... could be a case that the password simply runs out / ages off (usually 90 days)? Technically, re-starting CBA should do the same thing (I believe, I'm still not quite awake yet) so that may be the "softer" option if a reboot isn't going to happen.

             

            But yeah - Event Logs won't help you -- you need to enable the NT authentication audit logs (not hard to do, just get VERY spammy) on a DC. Unfortunately the only place where all that stuff happens & gets logged ... .

            1 of 1 people found this helpful
            • 3. Re: what causes cba_anonymous domain account to lock?
              Apprentice

              Thanks very much, these are excellent suggestions. 

               

              I opened a support incident yesterday, and the rep told me this, (below),

              but I will try your suggestions as well.

              "Every time the account is created, a randomly generated password is created for
              that user. In cases where the agent is installed on domain controllers, the
              most recent install of the agent will cause the password to be changed, locking
              out other agents on other DCs. This is part of the known defect we have on our
              side."

              "In the meantime, we have a workaround that works for everything except remote
              control. The workaround is settings tasks to be policy instead of push. When
              security scan and inventory scan run at their scheduled times, they'll see
              tasks made available as a policy and pull it to the machine and run the task.
              Pulls like this bypass the CBA user entirely and should work."

               

               

              • 4. Re: what causes cba_anonymous domain account to lock?
                phoffmann SupportEmployee

                OK - nice to see that there's a known issue. That should make that somewhat more handleable (and useful to know).

                 

                Thanks for sharing the info .

                • 5. Re: what causes cba_anonymous domain account to lock?
                  Frank Wils ITSMMVPGroup

                  Hi,

                   

                  Do you have a case reference number?

                   

                  Thanks!

                  Frank