Single logon attempt is counted as two logon attempts in Active Directory in Windows Server 2012

The user accounts are locked out although your expectation is that the account lockout threshold isn't reached yet. Additionally, in the security event log, events are logged.
This issue occurs because the logon attempt for Microsoft Kerberos protocol and Microsoft NTLM protocol operates. This results in two authentication queries against Active Directory. Therefore, the count of incorrect password increases by two instead of by one. 
To fix this issue, install May 2016 update rollup for Windows Server 2012.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Learn about the terminology that Microsoft uses to describe software updates.
More information
For more information about how to manage account lockout settings and monitoring, see Configuring Account Lockout.

Article ID: 3155537 - Last Review: 05/17/2016 19:37:00 - Revision: 1.0

Windows Server 2012 Datacenter, Windows Server 2012 Standard, Windows Server 2012 Essentials, Windows Server 2012 Foundation

  • kbqfe kbsurveynew kbfix kbexpertiseadvanced KB3155537