UAG Allows access to users who are locked out in AD RRS feed

  • Question

  • We are using UAG in front of an application.

    We have setup AD group policy so that on 3 failed attempts to authenticate the user account is locked out.

    This works fine and the user account is locked out.

    Our issue is that using UAG and the correct username/password (even with the user account locked) you can still access the application.

    UAG seems to ignore the fact that the AD user is locked out.

    Anyone seen this before?

    Tuesday, March 15, 2011 1:49 PM


  • Hello,

    I suspect that your account isn't really locked out.  Sorry.  UAG has built in system to prevent AD users who are locked out from being logged in.

    You should be getting an error like you see below:

    User DOMA\USER with source IP address failed to log into trunk Portal (secure=1) using authentication server AD with session ID 5A1D2C7A-ECA4-4411-8978-45234D4A07. Error code is The referenced account is currently locked out and may not be logged on to.

    Also, if the account is locked out, you shouldnt even be able to reach your internal application as it would also verify against AD...   I'm sure you know but testing with an admin account wouldnt work...

    If you can confirm that it is infact locked out, maybe login using OWA natively in your internal network and UAG is still letting people in.  I recommend contacting Microsoft Support.

    Thank you


    • Marked as answer by Erez Benari Tuesday, May 10, 2011 12:13 AM
    Friday, April 15, 2011 11:25 PM