cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Naldo
Level 7
Report Inappropriate Content
Message 1 of 8

Active Directory Account Lockouts on Web Gateway Appliances

Hello everyone,

 

Since last week ago I’m struggling with my Active Directory Account Lockouts on WMG

 

I have read all the possible answers on MWG Forums, Tech Support, Sys Admin and Microsoft Forms also.

 

Till now I find myself in the middle of nowhere. So I decided to post here once again the question if anyone has experienced this before and how it has been solved

 

Note: In all the previous questions marked as solutions I could not find anything useful

 

So below I will describe my situations:

 

  • Last week ago I changed my windows AD credentials due to expiry date
  • Since that moment I keep getting locked every second !
  • If I want to be unlocked the sys admin should be on the phone with me. They need to click on OK and unlock my user and me at the same time I should click OK in order to login !

Without this synchronization it is not possible since my user is getting locked two frequently

  • I have changed the password four time but no result
  • From the logs of AD, on event 4740 I can see only that the caller computer name is MWG
  • Our Proxy ( MWG ) is joined into domain ( using NTLM2 method )
  • I have tried to enable on MWG the bad password logs but nothing useful can be found from there
  • I keep getting the popup from proxy (MWG)
  • I keep getting locked
  • I have logged on every possible server with rdp and sign out from there from my user
  • I have check all the possible logs from AD but the only thing that I keep looking is: Caller computer name MWG

 

%NICWIN-4-Security_4776_Microsoft-Windows-Security-Auditing: Security,rn=506628954 cid=9316 eid=728,Mon Nov 02 12:28:46 2020,4776,Microsoft-Windows-Security-Auditing,,Audit Failure,Credential Validation,The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: UserName Source Workstation: McAfeeNew Error Code: 0xC0000234

 

  • Tech Support of MWG is saying that is not MWG which is looking my AD credentials but another computer
  • I believe the opposite:  maybe on another workstations where the pop up of MWG has appeared I may have inputed my AD credentials
  • I have checked on all servers and my workstation for Windows Credentials ( like everyone) is suggesting but nothing is shown there.
  • I have used Netwrix_Account_Lockout_Examiner on our Domain Controller but I could find nothing

I found some task scheduler on my PC with my UserName wich I have disabled but it is not working

Since Netwrix_Account_Lockout_Examiner is using event viewer logs I find it useless

 

Please could you help me ?

 

Has anyone faced this before ? Maybe it is better to close my UserName but I find it not a good solution

 

Is there anyway to clear MWG as Proxy Cashe ? Maybe a restart of MWG ?

 

Thank Youuuu

7 Replies
Tiz
Level 8
Report Inappropriate Content
Message 2 of 8

Re: Active Directory Account Lockouts on Web Gateway Appliances

Hi Naldo,

 

we have this kind of problem quite a lot in our company., because every user has to change the password once a year.

There is not much you can do on the MWG, because the PC with the stored credentials always tries to access the internet and therefor continually authenticate itself with those credentials. So a restart of the appliance or clearing a cache won't help.

What you can do or what we did is to write a log file every time an authentication failed (see attachment). With this log file we are able to identify the pc with the stored (old) credentials. 

You can find the failure IDs on this post https://community.mcafee.com/t5/Web-Gateway/Troubleshooting-Authentication-Errors-in-MWG-dashboard/t...

 

HTH, Tiz

Naldo
Level 7
Report Inappropriate Content
Message 3 of 8

Re: Active Directory Account Lockouts on Web Gateway Appliances

Hi Tiz,

 

I will try to create the rule you are suggesting. It will be hard since we are using dynamic IP from our users toward MWG proxy so it will be difficult to trace back the source IP

 

But I will give a try and let everybody now on the forum

 

Thank You

 

Naldo
Level 7
Report Inappropriate Content
Message 4 of 8

Re: Active Directory Account Lockouts on Web Gateway Appliances

Hi Tiz

 

Please can you share the xml of the rule in order to upload it ?

 

Thank You

Tiz
Level 8
Report Inappropriate Content
Message 5 of 8

Re: Active Directory Account Lockouts on Web Gateway Appliances

Hi!

 

yeah, that will be frustrating with dynamic IP.

I uploaded the xml.

 

Cheers

Naldo
Level 7
Report Inappropriate Content
Message 6 of 8

Re: Active Directory Account Lockouts on Web Gateway Appliances

Thank You so much

Naldo
Level 7
Report Inappropriate Content
Message 7 of 8

Re: Active Directory Account Lockouts on Web Gateway Appliances

Hi Tez

I think i have found smth. But i cannot go further:

#Time " Proxy " Failure ID " Failure Reason " UserName " Client IP " URL " Application Name " User-Agent " RuleSet " Test
[03/Nov/2020:14:54:15 +0100] " mwgappl " 3 " Wrong password " UsernameXXXX " 192.X.X.X " http://list.smartfilter.com/cgi-bin/updatelist " - " - " Authenticate With User AD/Authenticate With AD users " + domain +
[03/Nov/2020:14:54:15 +0100] " mwgappl " 3 " Wrong password " UsernameXXXX " 192.X.X.X " http://list.smartfilter.com/cgi-bin/updatelist " - " - " Authenticate With User AD/Authenticate With AD users " + domain +
[03/Nov/2020:14:54:38 +0100] " mwgappl " 3 " Wrong password " UsernameXXXX " 192.X.X.X " http://list.smartfilter.com/cgi-bin/updatelist " - " - " Authenticate With User AD/Authenticate With AD users " + domain +
[03/Nov/2020:14:54:38 +0100] " mwgappl " 3 " Wrong password " UsernameXXXX " 192.X.X.X " http://list.smartfilter.com/cgi-bin/updatelist " - " - " Authenticate With User AD/Authenticate With AD users " + domain +

 

 

Naldo
Level 7
Report Inappropriate Content
Message 8 of 8

Re: Active Directory Account Lockouts on Web Gateway Appliances

Hello

Finally I resolved the issue

My windows credentials were inserted into the vATD in order to authenticate for GTI ( Proxy usage )

🙂
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community