Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
ltusen
Staff
Staff

Created on ‎04-03-2025 07:17 AM

Article Id 385975

Troubleshooting Tip: Winbind disconnecting due to Winbind service issue and Encrypted domain password changed from '*' to '*'

Description This article describes FortiNAC Winbind behavior when the Winbind password for the Service Account or User Account has been changed on the domain or for any other change or issue in the domain side.
Scope FortiNAC v8.x, v9.x, v7.2.x, v7.4.x,v 7.6.x and above.
Solution
  • The FortiNAC Logs -> Events & Alarms will show that an AD side password change was performed for any User-ID Account, due to the Winbind service instability.
  • The following line shows that the Winbind password on the AD was changed:

 

***WINBIND_CONFIG*** Name: WinbindConfig Summary: Domain Encrypted Pwd changed from: * to: *

 

The following is an example of output for the Winbind Service instability:

  • Line 1: Shows that the Winbind password on the AD was changed at 08:50:34 am:

 

2024/11/24 08:50:34 'aduser-id' 2 WINBIND_CONFIG WinbindConfig Domain Encrypted Pwd changed from: * to: *

  • Line 2: The Winbind service stopped running at 09:03:54, exactly 13 minutes after the password change:

 

2024/11/24 09:03:54 Service Down - Winbind FortiNAC A critical service (winbindd) on 192.168.35.210 is not running.

  • Line 3: The Winbind service came back up at 09:04:30 am:

 

2024/11/24 09:04:30 Service Started - Winbind FortiNAC A critical service (winbindd) on 192.168.35.210 was not running and has been started.

  • Line 4: Winbind service was restarted at 12:04:16 pm:

 

2024/11/24 12:04:16 Service Restarted - Winbind FortiNAC A critical service (winbindd) on 192.168.35.210 has been restarted.

  • Line 5: Shows that Winbind AD password was changed again at 12:04:20 pm:

 

2024/11/24 12:04:20 'aduser-id' 2 WINBIND_CONFIG WinbindConfig Domain Encrypted Pwd changed from: * to: *

 

Notes:

  • This message usually appears when a user account changes its password on a domain network, where the password is managed by a central server (Active Directory).
  • The encrypted domain password changed from: * to: *, means that the password for a domain user account has been changed, but the actual password is hidden (represented by asterisks "*") due to encryption, so it only shows that a change has occurred without knowing the new password itself.
  • This is a standard security feature to protect sensitive information such as passwords.
  • The message is largely an error message from the AD server side. This happens to remove users trying to log in with RDP, or even on the domain itself, when there is a server issue to resolve.
  • That error could occur for a variety of reasons, but the DC is the one generating the error and the security logs on the DC should be checked as a next step.
  • Unfortunately, there are also many causes for this. These types of events most often happen while performing network administration tasks or domain server maintenance where a variety of causes can arise on the AD side.

Related articles:
253
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.