Two incorrect logon attempts sent to Active Directory after Credential Guard installed on Windows 10

Assume that you use Credential Guard on a computer that is running Windows 10 Version 1607 or Version 1511. Kerberos ETL on the computer shows that the computer incorrectly submits two logon attempts together with the current password. For example:

[0] 02B8.166C::DateTime.7933656 [winnt5] kerbcredisoium_cxx520 KerbCredIsoIum::BuildEncryptedAuthData() - KerbCredIsoIum::BuildPasswordList - Start call to LsaIso
[0] 02B8.166C::DateTime.8032963 [winnt5] kerbcredisoium_cxx528 KerbCredIsoIum::BuildEncryptedAuthData() - KerbCredIsoIum::BuildPasswordList - End call to LsaIso

[0] 02B8.166C::DateTime.8042529 [winnt5] logonapi_cxx453 KerbFindCommonPaEtype() - KerbFindCommonPaEtype using current password of test@CONTOSO

[0] 02B8.166C::DateTime.8043461 [winnt5] kerbcredisoium_cxx520 KerbCredIsoIum::BuildEncryptedAuthData() - KerbCredIsoIum::CreateAsReqAuthenticator - Start call to LsaIso
[0] 02B8.166C::DateTime.8057752 [winnt5] kerbcredisoium_cxx528 KerbCredIsoIum::BuildEncryptedAuthData() - KerbCredIsoIum::CreateAsReqAuthenticator - End call to LsaIso

[0] 02B8.166C::DateTime.8061143 [winnt5] logonapi_cxx3228 KerbGetAuthenticationTicketEx() - KerbGetAuthenticationTicket sending preauth enctype 18, length 143, PrimaryCredentials->PublicKeyCreds 0000000000000000    <-- first call

[0] 02B8.166C::DateTime.8065146 [winnt5] logonapi_cxx3287 KerbGetAuthenticationTicketEx() - KerbGetAuthenticationTicket: Calling KDC
[0] 02B8.166C::DateTime.8066501 [winnt5] kerbtick_cxx2816 KerbMakeSocketCallEx() - KerbMakeSocketCall uses KdcToCall option 0.
[0] 02B8.166C::DateTime.8068090 [winnt5] kerbtick_cxx3130 KerbMakeSocketCallEx() - Retry #0 Calling kdc 10.0.0.1 for realm CONTOSO, DesiredFlags 0, connection timeout: 0 secs
[0] 02B8.166C::DateTime.8068254 [common2] sockets_cxx676 KerbCallKdcEx() - Calling KDC: 10.0.0.1
[1] 02B8.166C::DateTime.8219381 [common2] sockets_cxx576 KerbBindSocketByAddress() - Successfully bound to 10.0.0.1
[1] 02B8.166C::DateTime.8221109 [common2] sockets_cxx777 KerbCallKdcEx() - Socket being used for select is 0x1170
[1] 02B8.166C::DateTime.8442723 [common2] sockets_cxx862 KerbCallKdcEx() - Socket being used for select is 0x1170
[1] 02B8.166C::DateTime.8446106 [winnt5] logonapi_cxx3344 KerbGetAuthenticationTicketEx() - KerbGetAuthenticationTicket: Returned from KDC status 0x0
[1] 02B8.166C::DateTime.8447502 [commoniumsafe] tickets_cxx2705 KerbUnpackData() - KerbUnpackData Asn1Err 0xfffffc0d
[1] 02B8.166C::DateTime.8447962 [winnt5] logonapi_cxx3450 KerbGetAuthenticationTicketEx() - Failed to unpack KDC reply as AS: 0x3c
[1] 02B8.166C::DateTime.8457901 [commoniumsafe] tickets_cxx2705 KerbUnpackData() - KerbUnpackData Asn1Err 0xfffffc0d
[1] 02B8.166C::DateTime.8458328 [commoniumsafe] utils_cxx121 KerbUnpackErrorData() - KerbUnpackData failed to unpack typed data, trying error method data
[1] 02B8.166C::DateTime.8459654 [commoniumsafe] tickets_cxx2705 KerbUnpackData() - KerbUnpackData Asn1Err 0xfffffc0d
[1] 02B8.166C::DateTime.8460143 [winnt5] logonapi_cxx3598 KerbGetAuthenticationTicketEx() - KerbCallKdc failed: error 0x18, extendedStatus 0, onecore\ds\security\protocols\kerberos\client2\logonapi.cxx, line 3598
[1] 02B8.166C::DateTime.8461912 [winnt5] logonapi_cxx3711 KerbGetAuthenticationTicketEx() - KerbGetAuthenticationTicket retry with new salts on kdc error                                             <-- here getting ready for the second try
[2] 02B8.166C::DateTime.8480445 [winnt5] kerbcredisoium_cxx520 KerbCredIsoIum::BuildEncryptedAuthData() - KerbCredIsoIum::BuildPasswordList - Start call to LsaIso
[2] 02B8.166C::DateTime.8575023 [winnt5] kerbcredisoium_cxx528 KerbCredIsoIum::BuildEncryptedAuthData() - KerbCredIsoIum::BuildPasswordList - End call to LsaIso
[2] 02B8.166C::DateTime.8580294 [winnt5] logonapi_cxx453 KerbFindCommonPaEtype() - KerbFindCommonPaEtype using current password of test@Contoso
[2] 02B8.166C::DateTime.8581509 [winnt5] kerbcredisoium_cxx520 KerbCredIsoIum::BuildEncryptedAuthData() - KerbCredIsoIum::CreateAsReqAuthenticator - Start call to LsaIso
[2] 02B8.166C::DateTime.8595550 [winnt5] kerbcredisoium_cxx528 KerbCredIsoIum::BuildEncryptedAuthData() - KerbCredIsoIum::CreateAsReqAuthenticator - End call to LsaIso
[2] 02B8.166C::DateTime.8598818 [winnt5] logonapi_cxx3228 KerbGetAuthenticationTicketEx() - KerbGetAuthenticationTicket sending preauth enctype 18, length 143, PrimaryCredentials->PublicKeyCreds 0000000000000000   <-- incorrect second call

[2] 02B8.166C::DateTime.8602213 [winnt5] logonapi_cxx3287 KerbGetAuthenticationTicketEx() - KerbGetAuthenticationTicket: Calling KDC
[2] 02B8.166C::DateTime.8603153 [winnt5] kerbtick_cxx2816 KerbMakeSocketCallEx() - KerbMakeSocketCall uses KdcToCall option 0.
[2] 02B8.166C::DateTime.8604742 [winnt5] kerbtick_cxx3130 KerbMakeSocketCallEx() - Retry #0 Calling kdc 10.0.0.1 for realm CONTOSO, DesiredFlags 0, connection timeout: 0 secs
[2] 02B8.166C::DateTime.8604907 [common2] sockets_cxx676 KerbCallKdcEx() - Calling KDC: 10.0.0.1
[1] 02B8.166C::DateTime.8753554 [common2] sockets_cxx576 KerbBindSocketByAddress() - Successfully bound to 10.0.0.1
[1] 02B8.166C::DateTime.8755787 [common2] sockets_cxx777 KerbCallKdcEx() - Socket being used for select is 0x11a0
[0] 02B8.166C::DateTime.8934236 [common2] sockets_cxx862 KerbCallKdcEx() - Socket being used for select is 0x11a0
[0] 02B8.166C::DateTime.8941166 [winnt5] logonapi_cxx3344 KerbGetAuthenticationTicketEx() - KerbGetAuthenticationTicket: Returned from KDC status 0x0
[0] 02B8.166C::DateTime.8945177 [commoniumsafe] tickets_cxx2705 KerbUnpackData() - KerbUnpackData Asn1Err 0xfffffc0d
[0] 02B8.166C::DateTime.8946536 [winnt5] logonapi_cxx3450 KerbGetAuthenticationTicketEx() - Failed to unpack KDC reply as AS: 0x3c
[0] 02B8.166C::DateTime.8970360 [commoniumsafe] tickets_cxx2705 KerbUnpackData() - KerbUnpackData Asn1Err 0xfffffc0d
[0] 02B8.166C::DateTime.8971292 [commoniumsafe] utils_cxx121 KerbUnpackErrorData() - KerbUnpackData failed to unpack typed data, trying error method data
[0] 02B8.166C::DateTime.8974564 [commoniumsafe] tickets_cxx2705 KerbUnpackData() - KerbUnpackData Asn1Err 0xfffffc0d
[0] 02B8.166C::DateTime.8975619 [winnt5] logonapi_cxx3598 KerbGetAuthenticationTicketEx() - KerbCallKdc failed: error 0x18, extendedStatus 0, onecore\ds\security\protocols\kerberos\client2\logonapi.cxx, line 3598
[0] 02B8.166C::DateTime.8977676 [winnt5] logonapi_cxx3717 KerbGetAuthenticationTicketEx() - KerbGetAuthenticationTicket retry with old password on kdc error
[0] 02B8.166C::DateTime.9008841 [winnt5] logonapi_cxx447 KerbFindCommonPaEtype() - KerbFindCommonPaEtype using old password of test@CONTOSO
[0] 02B8.166C::DateTime.9009716 [winnt5] logonapi_cxx459 KerbFindCommonPaEtype() - no password, use old password: true
[0] 02B8.166C::DateTime.9010422 [winnt5] logonapi_cxx761 KerbBuildPreAuthData() - KerbBuildPreAuthData failed to find common pa etypes 0xc000006a 
[0] 02B8.166C::DateTime.9011218 [winnt5] logonapi_cxx2971 KerbGetAuthenticationTicketEx() - KerbGetAuthenticationTicket retry with new salts
[0] 02B8.166C::DateTime.9025374 [winnt5] logonapi_cxx447 KerbFindCommonPaEtype() - KerbFindCommonPaEtype using old password of test@CONTOSO
[0] 02B8.166C::DateTime.9025912 [winnt5] logonapi_cxx459 KerbFindCommonPaEtype() - no password, use old password: true
[0] 02B8.166C::DateTime.9026421 [winnt5] logonapi_cxx761 KerbBuildPreAuthData() - KerbBuildPreAuthData failed to find common pa etypes 0xc000006a
[0] 02B8.166C::DateTime.9028420 [winnt5] logonapi_cxx3039 KerbGetAuthenticationTicketEx() - GetAuthenticationTicket: Failed to build pre-auth data: 0xc000006a for test\CONTOSO, onecore\ds\security\protocols\kerberos\client2\logonapi.cxx, line 3039
[0] 02B8.166C::DateTime.9043623 [winnt5] logonapi_cxx8907 KerbILogonUserEx2() - LogonUser: Failed to get TGT for test\CONTOSO : 0xc000006a

To resolve this issue, install update KB4015217: April 11, 2017—KB4015217 (OS Build 14393.1066 and 14393.1083).

To work around this issue, increase the account lockout threshold to accommodate the extra attempts or disable Credential Guard.