User account locked out though entering the right password
-
Tuesday, December 04, 2012 4:12 PM
Hello,
We have single domain sigle forest (eg: abc.com) and recently established trust with another organisation (eg: xyz.com). At present trust is established with selective authentication.
when user from abc.com goes other domain office xyz.com, facing the problem of account lockout while accesing the shrepoint site of xyz.com though using the right password.
Its just problem when user is working from xyz.com site and same password just works fine when working from home.
Please let me know what could be the cause for this.
Thanks in advance
Mahesh
All Replies
-
Tuesday, December 04, 2012 5:11 PM
Almost sounds like a firewall is blocking necessary ports. Can you describe the connectivity between you and the other organization?
Here are the ports required for AD communications:
Active Directory Firewall Ports - Let's Try To Make This Simple
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx.
I assume you are using a general forwarder, stubs or secondaries to resolve the partner forest, and vice-versa? If not, can you describe how DNS resolution has been designed to support the trust?
.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/This post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Wednesday, December 05, 2012 4:39 AM
Dear Ace,
Thank you for the reply..
If firewall is blocking the necessary port is there any chances of user account getting locked even after entering the right password?
DNS servers in our domain have been published using stub and vice-versa.
User can authenticate to sharepoint site but facing this problem only when trying to download something from the sharepoint site.
I will check with network team regarding the ports.
Mahesh
-
Wednesday, December 05, 2012 5:23 AM
You verified the trust :http://technet.microsoft.com/en-us/library/cc737447(v=ws.10).aspx
If still the issue persist recreate the trust and check.Stub zone is ok but if the network connectivity between the forest is good create secondary zone or use condtional forwarders and check how does it work.
Checklist: Creating a forest trust
http://technet.microsoft.com/en-us/library/cc756852%28WS.10%29.aspxHow to configure a firewall for domains and trusts
http://support.microsoft.com/kb/179442Temporaraly disable AV and windows firewall on server and clients too.
Since you are facing issue with share point only,the Sharepoint forum might be also helpful
http://social.technet.microsoft.com/Forums/en-US/category/sharepoint2010Take a look at this blog from about account lockouts, goes over some good Microsoft tools:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspxHope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Wednesday, December 05, 2012 10:48 AMModerator
Dear Ace,
Thank you for the reply..
If firewall is blocking the necessary port is there any chances of user account getting locked even after entering the right password?
DNS servers in our domain have been published using stub and vice-versa.
User can authenticate to sharepoint site but facing this problem only when trying to download something from the sharepoint site.
I will check with network team regarding the ports.
Mahesh
I guess to troubleshoot such issues, its better to use Netmon or Wireshark tool to monitor & analyze the real time traffic for the source of the account lockout. Since, the issue exists with multiple domain environment, the more effective way would be using Netmon or wireshark tool which can be quick way to determine the source & cause both for the account local account.
NetWrix Account Lockout Examiner http://www.netwrix.com/account_lockout_examiner.html
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/cddbf977-b98f-4783-8226-ebddab54d002/
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.- Marked As Answer by Cicely FengMicrosoft Contingent Staff, Moderator Tuesday, December 11, 2012 9:02 AM
-
Wednesday, December 05, 2012 11:37 AMWhat is the AD health status on xyz.com, is everything working fine like Replication, DNS, Time Server ? If your answer is yes then I would suggest to do a network trace using netmon or wireshark as Awinish mentioned.
-
Wednesday, December 05, 2012 1:00 PMModerator
If the user is using the correct password you they won't get locked out. Some how this situation is being locked at from the wrong point of view. I can't explain to you what is going on but the system won't give you a failure for a correct entry. What type of error is being generated on the Sharepoint server and/or DC ? Look in the Security Event log of the two.
--
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergsonPlease no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.
-
Wednesday, December 05, 2012 1:07 PM
Well agreeing with Awinish you can check out with Netwrix Account Lock out Examiner, In advance to this i can recommend you Lepide Self account unlock status.
http://www.lepide.com/active-directory-self-service.html
Hope it helps.
-
Wednesday, December 05, 2012 1:12 PM
Hi,
Find the offending machine that causing the lockout, and proceed further
http://www.windowstricks.in/2009/07/account-lockout.htm
Regards,
Ganesh
- Edited by Ganesamoorthy Wednesday, December 05, 2012 1:13 PM
-
Wednesday, December 05, 2012 4:37 PM
Dear Ace,
Thank you for the reply..
If firewall is blocking the necessary port is there any chances of user account getting locked even after entering thhttp://support.microsoft.com/kb/2001366e right password?
DNS servers in our domain have been published using stub and vice-versa.
User can authenticate to sharepoint site but facing this problem only when trying to download something from the sharepoint site.
I will check with network team regarding the ports.
Mahesh
If it's just with Sharepoint, then maybe it's specifically a Sharepoint permission or lack of oermussion to save it on the local drive. See uf this helps:
http://support.microsoft.com/kb/2001366
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/This post is provided AS-IS with no warranties or guarantees and confers no rights.
- Edited by Ace Fekay [MCT]MVP Wednesday, December 05, 2012 4:38 PM
- Marked As Answer by Cicely FengMicrosoft Contingent Staff, Moderator Tuesday, December 11, 2012 9:03 AM
.png)
