https://community.netapp.com/t5/General-Discussion/High-volume-of-failed-logins-0xC000006A-toward-Domain-Controllers/m-p/467083#M1678 <P>Hi everyone,</P><P>we are experiencing an unusual behavior in our environment and would like to understand if anyone has encountered a similar situation or can suggest possible mitigations.</P><P>Through our SIEM, we are receiving a large number (hundreds/thousands) of failed login notifications against our Domain Controllers, with error code<SPAN>&nbsp;</SPAN><STRONG>0xC000006A</STRONG><SPAN>&nbsp;</SPAN>(bad password).<BR />These attempts appear to originate from our NetApp servers and are related to user access to network shares.</P><P>&nbsp;</P><P>Questions:</P><UL><LI><P>Have you ever experienced similar behavior in NetApp/ Active Directory environments?</P></LI><LI><P>Are there any configurations or mechanisms to prevent these authentication loops (e.g., credential cache handling, session timeouts, specific GPOs)?</P></LI><LI><P>Are there best practices or tools to quickly identify the exact source of these requests?</P></LI><LI><P>Have you implemented effective mitigation strategies to reduce SIEM noise without losing relevant events?</P></LI></UL><P>Any suggestions or shared experiences would be greatly appreciated.</P><P>Thank you!</P> Thu, 07 May 2026 07:18:58 GMT lozivi 2026-05-07T07:18:58Z https://community.netapp.com/t5/General-Discussion/High-volume-of-failed-logins-0xC000006A-toward-Domain-Controllers/m-p/467083#M1678 <P>Hi everyone,</P><P>we are experiencing an unusual behavior in our environment and would like to understand if anyone has encountered a similar situation or can suggest possible mitigations.</P><P>Through our SIEM, we are receiving a large number (hundreds/thousands) of failed login notifications against our Domain Controllers, with error code<SPAN>&nbsp;</SPAN><STRONG>0xC000006A</STRONG><SPAN>&nbsp;</SPAN>(bad password).<BR />These attempts appear to originate from our NetApp servers and are related to user access to network shares.</P><P>&nbsp;</P><P>Questions:</P><UL><LI><P>Have you ever experienced similar behavior in NetApp/ Active Directory environments?</P></LI><LI><P>Are there any configurations or mechanisms to prevent these authentication loops (e.g., credential cache handling, session timeouts, specific GPOs)?</P></LI><LI><P>Are there best practices or tools to quickly identify the exact source of these requests?</P></LI><LI><P>Have you implemented effective mitigation strategies to reduce SIEM noise without losing relevant events?</P></LI></UL><P>Any suggestions or shared experiences would be greatly appreciated.</P><P>Thank you!</P> Thu, 07 May 2026 07:18:58 GMT https://community.netapp.com/t5/General-Discussion/High-volume-of-failed-logins-0xC000006A-toward-Domain-Controllers/m-p/467083#M1678 lozivi 2026-05-07T07:18:58Z https://community.netapp.com/t5/General-Discussion/High-volume-of-failed-logins-0xC000006A-toward-Domain-Controllers/m-p/467100#M1679 <P>Hi,</P><P>&nbsp;</P><P>Sound like the probable cause is "<EM>a&nbsp;bad password (possibly correct when initially stored, but rendered invalid by a subsequent password change) is being presented during an NTLM authentication attempt from the CIFS client</EM>". You would need to run a secd trace in diag mode on the ONTAP cluster to determine the CIFS client.</P><P>&nbsp;</P><P><A href="https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/DC_denies_log_on_for_a_user_due_to_bad_password_with_ONTAP_CIFS_as_client" target="_blank">DC denies logon for a user due to bad password, with ONTAP CIFS as client - NetApp Knowledge Base</A></P><P>&nbsp;</P><P>I would try to identify the CIFS client/clients causing the issue first to determine if there's a method to mitigate the issue re-occurring in your environment</P><P>&nbsp;</P><P>/Matt</P> Sun, 10 May 2026 23:56:44 GMT https://community.netapp.com/t5/General-Discussion/High-volume-of-failed-logins-0xC000006A-toward-Domain-Controllers/m-p/467100#M1679 mbeattie 2026-05-10T23:56:44Z