I've been dealing with a frustrating issue for about a month concerning login attempts on hybrid-joined PCs in our office. Some users can't log in with their correct credentials, and re-entering them doesn't trigger a lockout or show any failed login records on our domain controllers. It feels like the login attempts are being rejected before they even reach the network interface card.
The message users see is "Username or password is incorrect. Try again." When I test the failing endpoints myself and accurately enter the password, it is obviously correct. Plus, if it were incorrect, there would be a failed attempt logged somewhere in Active Directory.
There doesn't seem to be a specific model, network card, or driver that relates to this issue, nor can I find a common switch in our stack that could be causing it. We've checked our firewall rules, turned off 802.1x authentication on some ports for the affected machines, and enabled Credential Guard. Even when on the login screen, the devices can connect to the network and internet, allowing me to execute remote commands and network diagnostics. This problem arises on both wired and wireless networks, but switching networks often resolves it temporarily.
I don't think we've modified any Group Policies or Intune configurations lately that would be relevant to this situation. I'm at a loss, and so is my team. Any suggestions on where to look next?
3 Answers
Make sure to check the format you're using for the usernames. If you enter DOMAIN\username, it should force authentication against AD with the NT username. If you're using UPN/email format, the problem might be related to the global catalog. It's worth exploring this option!
When troubleshooting this, always consider checking the user accounts that are experiencing the issue. Sometimes, account lockouts aren’t logged because they don’t even reach the point of triggering those logs. Ensuring those accounts do not have any restrictions applied could also lead to insights.
It sounds like you're dealing with an issue that could be linked to having a mix of domain controllers running different server versions. If you're using Server 2025 for some DCs and others are on older versions, it can mess with Kerberos authentication because Microsoft deprecated some older ciphers. This can lead to intermittent login problems. It might be worth trying to power off the 2025 DC temporarily to see if that resolves things for your users.
Good catch, we do have a 2025 DC along with a 2016, 2019, and 2022. I'll see what happens when I power off the 2025.
I actually tried both formats, but both are failing.