Username failed to authenticate with clear text credentials using LDAP simple binds

%3CLINGO-SUB%20id%3D%22lingo-sub-1966004%22%20slang%3D%22en-US%22%3EUsername%20failed%20to%20authenticate%20with%20clear%20text%20credentials%20using%20LDAP%20simple%20binds%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1966004%22%20slang%3D%22en-US%22%3E%3CP%3EATA%20event%20shows%20that%20%25Username%25%20failed%20to%20authenticate%20with%20clear%20text%20credentials%20using%20LDAP%20simple%20binds%20on%20server%20servername.%20But%2C%20on%20the%20server%20I%20couldn't%20any%20process%2C%20service%2C%20task%20with%20%25username%25%20credentials.%20How%20to%20find%20what%20is%20causing%20event%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThnx%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1966062%22%20slang%3D%22en-US%22%3ERe%3A%20Username%20failed%20to%20authenticate%20with%20clear%20text%20credentials%20using%20LDAP%20simple%20binds%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1966062%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F894461%22%20target%3D%22_blank%22%3E%40Toza62%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEvents%20are%20repeating%20each%201h%202%20min.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1966428%22%20slang%3D%22en-US%22%3ERe%3A%20Username%20failed%20to%20authenticate%20with%20clear%20text%20credentials%20using%20LDAP%20simple%20binds%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1966428%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F894461%22%20target%3D%22_blank%22%3E%40Toza62%3C%2FA%3E%26nbsp%3BThe%20process%20tha%20tis%20doing%20so%20is%20probably%20not%20running%20locally%20on%20the%20DC%2C%20it's%20most%20likely%20on%20the%20source%20computer%2C%20was%20that%20the%20%22Servername%22%20you%20mentioned%3F%3C%2FP%3E%0A%3CP%3Emake%20sure%20we%20resolved%20it%20correctly%2C%20export%20the%20alert%20to%20excel%20and%20verify%20that%20we%20matched%20the%20IP%20to%20the%20correct%20machine%20name%2C%20to%20make%20sure%20you%20are%20looking%20on%20the%20correct%20machine.%3C%2FP%3E%0A%3CP%3EIf%20yes%2C%20try%20running%20netmon%26nbsp%3B%203.4%20on%20the%20machien%20to%20locate%20the%20process%20which%20invokes%20the%20LDAP%20failures.%3C%2FP%3E%0A%3CP%3Eif%20it%20happens%20that%20rapidly%20you%20might%20be%20able%20to%20spot%20if%20with%20a%20few%20minutes%20of%20capturing...%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

ATA event shows that %Username% failed to authenticate with clear text credentials using LDAP simple binds on server servername. But, on the server I couldn't any process, service, task with %username% credentials. How to find what is causing event?

 

Thnx in advance.

3 Replies

@Toza62 

Events are repeating each 1h 2 min. 

@Toza62 The process tha tis doing so is probably not running locally on the DC, it's most likely on the source computer, was that the "Servername" you mentioned?

make sure we resolved it correctly, export the alert to excel and verify that we matched the IP to the correct machine name, to make sure you are looking on the correct machine.

If yes, try running netmon  3.4 on the machien to locate the process which invokes the LDAP failures.

if it happens that rapidly you might be able to spot if with a few minutes of capturing...

Yes, exactly. I have source IP address, I checked servers logs (especially security logs ), tasks, services.. etc., but I cannot find nothing with %username% credentials. I will try with netmon 3.4.

Thank you for help.