High volume of failed logins (0xC000006A) toward Domain Controllers

lozivi

Hi everyone,

we are experiencing an unusual behavior in our environment and would like to understand if anyone has encountered a similar situation or can suggest possible mitigations.

Through our SIEM, we are receiving a large number (hundreds/thousands) of failed login notifications against our Domain Controllers, with error code 0xC000006A (bad password).
These attempts appear to originate from our NetApp servers and are related to user access to network shares.

Questions:

Have you ever experienced similar behavior in NetApp/ Active Directory environments?
Are there any configurations or mechanisms to prevent these authentication loops (e.g., credential cache handling, session timeouts, specific GPOs)?
Are there best practices or tools to quickly identify the exact source of these requests?
Have you implemented effective mitigation strategies to reduce SIEM noise without losing relevant events?

Any suggestions or shared experiences would be greatly appreciated.

Thank you!

mbeattie

Hi,

Sound like the probable cause is "a bad password (possibly correct when initially stored, but rendered invalid by a subsequent password change) is being presented during an NTLM authentication attempt from the CIFS client". You would need to run a secd trace in diag mode on the ONTAP cluster to determine the CIFS client.

DC denies logon for a user due to bad password, with ONTAP CIFS as client - NetApp Knowledge Base

I would try to identify the CIFS client/clients causing the issue first to determine if there's a method to mitigate the issue re-occurring in your environment

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

High volume of failed logins (0xC000006A) toward Domain Controllers

And the Legacy Continues! 🏆