Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3146
  • Last Modified:

User account getting locked out

Hello, I'm completely lost on this one. I have one user account that is getting locked out pretty much as fast as I can unlock it. I have Exchange 2007 behind ISA 2006. I've narrowed it down as far as if I disable the Active Sync publishing rule the lockouts stop. The user has only a smartphone and an IPAD configured to sync with Exchange and the password has been verified on both.

I'm hoping someone is going to mention something I've overlooked here. Thanks in advance.
0
rcil_admin
Asked:
rcil_admin
  • 6
  • 6
  • 2
  • +1
2 Solutions
 
WayneATaylorCommented:
That does sound like a device is trying the wrong password!

Have a look at the web server logs and if it is an Activesync request you should be able to see it in the logs and it might give you a clue where its coming from.

One thought, they haven't tried to use one of those web email providers that can grab email using OMA have they?  That might be trying the wrong password!

Wayne

0
 
rcil_adminAuthor Commented:
I left that part out. I did look at the web server log on the mail server and searched it for the user's name. Every hit was showing the same device ID as a log from before this started and only that one. That's what has me baffled. I even pulled the battery from the users phone and watched the account lock while it was out. That's when I stated thinking of other devices the user has. I then had him reset the password on the IPAD.

I don't think the user has configured anything that uses OMA. Another thought though. We have a password policy that forces users to change their passwords periodically. We have multiple users with smartphones and when their network password changes, their phone stops syncing because obviously the phone is still configured with the previous password. Their accounts never get locked out. We have only blackberry, android, and windows phones, no iphones. Unless I'm mistaken, all of these give up after one failed attempt or I would have seen these lockouts happen before.
0
 
WayneATaylorCommented:
Strange!

Anything showing in the decurity event log for that user?

Wayne



0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
WayneATaylorCommented:
Or even Security!!!
0
 
rcil_adminAuthor Commented:
Not really seeing anything in the security log on the exchange server but on the ISA box I will see a couple "unknown username or bad password" events and then "account locked out" events.
0
 
WayneATaylorCommented:
Do these unknown username password errors not show a device that is trying the username/password?

Wayne
0
 
rcil_adminAuthor Commented:
Here is the event from the ISA box:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            4/30/2011
Time:            8:30:52 AM
User:            NT AUTHORITY\SYSTEM
Computer:      xxxISA1
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      xxxxxxx
       Domain:            xxxxxx
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      xxxxISA1
       Caller User Name:      NETWORK SERVICE
       Caller Domain:      NT AUTHORITY
       Caller Logon ID:      (0x0,0x3E4)
       Caller Process ID:      2568
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



And this one is from a DC:

- System

  - Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
 
   EventID 4776
 
   Version 0
 
   Level 0
 
   Task 14336
 
   Opcode 0
 
   Keywords 0x8010000000000000
 
  - TimeCreated

   [ SystemTime]  2011-04-30T13:06:27.093714600Z
 
   EventRecordID 25860074
 
   Correlation
 
  - Execution

   [ ProcessID]  548
   [ ThreadID]  3840
 
   Channel Security
 
   Computer xxxDC1.xxxx.local
 
   Security
 

- EventData

  PackageName MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  TargetUserName xxxx
  Workstation xxxISA1
  Status 0xc0000234
0
 
WayneATaylorCommented:
I take it then that the ISA1 server is the server hosting the OMA?

Is so, it's definately coming then from that server so it has to be either something coming from the web server or some other process within that server.

You don't have something like CRM or similar do you that gets users emails directly from Exchange or something like the CRM Email Connector?

Did you say that there was nothing showing for that user in the web logs apart from the device you know about?

Wayne
0
 
WayneATaylorCommented:
Also, the smaetphone device hasn't got another account set up has it so it's trying to login from the same device to the same account in two different places?
0
 
rcil_adminAuthor Commented:
Yep, ISA1 is our only ISA box and is publishing OMA. It's definatly coming from the web through that box. I know it's coming from the web because when I disable the publishing rule the problem goes away. Seems like i should be seeing a public IP attached to the auth attempts at least on the ISA events.

Yes, I am only seeing one device ID in the web log on the exchange server that corresponds with the user in question. i wonder if I will see this same ID on the device or is the exchange server assigning that ID for logging puproses?

I hadnt considered that the user could be set up more than once on one of his devices but I will check this.
0
 
AmitIT ArchitectCommented:
@rcil_admin

I have simple suggestion. Simple append a numeric with user logon name. Say if user is "Test" change it to "Test1". That is the simplest way to get rid of account lockout issue. This doesn't impact any other user setting. You need to change in ADUC under Account tab.

Test it.
0
 
rcil_adminAuthor Commented:
Thanks amitkulshrestha, I did consider that and may end up doing that. I just hated to "work around" the problem.
0
 
AmitIT ArchitectCommented:
I agree with you. but MS still unable to provide a tool, which can point to the root cause 100%. So workaround is the only solution and we have live with that.
0
 
rcil_adminAuthor Commented:
The issue turned out to be the users IPAD after all. The first time he changed it he must have typed it wrong. I'm giving the points to both.
0
 
tabushCommented:
nice tip
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 6
  • 6
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now