locked
How to protect user accounts from lockout RRS feed

  • Question

  • Hi,

    I'm testing Exchange apps publication with UAG. I use UAG 2010 SP1, publish Exchange 2010 on common (non exchange-dedicated) https trunk, Exchange and Outlook are configured for NTLM authentication.

    Everything works fine except my user accounts are vulnerable to lockout in AD - when Outlook user enters incorrect password repeatedly. I set 'Maximum Logon Attemts' on UAG trunk to number less then in AD lockout policy - but account still locks out. UAG Web Monitor doesn't register any events about incorrect credentials - only events "Session Started/Session Stopped".

    Is there possibility to protect AD accounts from lockout when using  Outlook Anywhere ? Maybe It should be done some special settings not described in docs?

    Thnx

    Monday, July 2, 2012 11:15 AM

Answers

  • Hi Roman,

    I have some good news!

    After speaking to MS about this (thanks Ran!) I had been previously given a slightly incorrect view of the 'Allow rich clients to bypass trunk authentication' option. This option actually means that the trunk authentication will not be used (as I thought) BUT the authentication repository that is defined in the application settings will be used instead. I had been led to believe that the authentication was provided by the back-end server itself (e.g. the Exchange or SharePoint server) but this is actually incorrect. This means that UAG WILL pre-authenticate rich clients, just not using the authentication repository defined at the trunk level.

    Therefore, given all of that, it appears that your problem may have been caused by having the 'Block period after failed logon (minutes)' setting defined as zero.

    Apologies for the confusion and I hope the above info helps!

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Wednesday, July 18, 2012 4:08 PM

All replies

  • *** Removed due to error ***
    Wednesday, July 4, 2012 11:32 AM
  • UAG docs state:

    "Why enable remote access to Exchange services with Forefront UAG?"

    .....

    "Pre-authentication—In a standard Exchange deployment, users authenticate directly against the Exchange Client Access server. By publishing Exchange applications with Forefront UAG, you can allow users to preauthenticate against the Forefront UAG server, before they gain access to the internal Exchange Client Access server."  

    And IRL it appears pre-authentication is applicable only for MS OWA? And if I publish MS Anywhere I expose my accounts for locking out and can do nothing about it? And there's no difference from "standard Exchange deployment"?  :(

    Wednesday, July 4, 2012 12:45 PM
  • *** Removed due to error ***

    Wednesday, July 4, 2012 1:07 PM
  • Thanks Jason, I have to accept it :)
    Wednesday, July 4, 2012 1:24 PM
  • Hi Roman,

    I have some good news!

    After speaking to MS about this (thanks Ran!) I had been previously given a slightly incorrect view of the 'Allow rich clients to bypass trunk authentication' option. This option actually means that the trunk authentication will not be used (as I thought) BUT the authentication repository that is defined in the application settings will be used instead. I had been led to believe that the authentication was provided by the back-end server itself (e.g. the Exchange or SharePoint server) but this is actually incorrect. This means that UAG WILL pre-authenticate rich clients, just not using the authentication repository defined at the trunk level.

    Therefore, given all of that, it appears that your problem may have been caused by having the 'Block period after failed logon (minutes)' setting defined as zero.

    Apologies for the confusion and I hope the above info helps!

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Wednesday, July 18, 2012 4:08 PM
  • Hi Jason,

    Many thanks for you still remember of this!

    But I have 'Block period after failed logon (minutes)' set to 30 min, and 'Maximum logon attemts' set to 2 while AD lockout policy it set to 5 attempts - and still account is locked. Seems like preauthentication doesnot work in my case :(

    "The authentication repository that is defined in the application settings" - in my case it is AD domain controller. Does it mean that UAG will access DC each time user tries new wrong pasword and when 5 attemts will occur - DC will lock it?

    Wednesday, July 18, 2012 4:35 PM