Hello all, I've been experimenting with the Explicit Proxy Authentication and Authorization ruleset so that I could control which AD groups would have access to the web. I've been using this setup without issue for sometime now in my test area but all of a sudden the user account I've been testing with is constantly being locked out which leads to the Authentication Prompt showing up in the browser. I'm not sure why that happens but when I look at the Rule Trace, I see a LOT of authenticate actions, for each of the URLs that would be contacted in loading YouTube's homepage for example.
I theorized that the constant authentication requests may have "bombarded" the DC thereby making the account locked out so I tried to increase the TTL for the NTLM cache to 5 minutes but I've seen no change yet. I'm currently using the stock Authentication ruleset with the User Database at Authentication server setting. Any assistance would be greatly appreciated.
I've run into this issue a number of times and it usually ends up being the Credential Manager on the workstation. Clearing that out will usually resolve the issue for the user.
If you wanted to track something like this, I created a log which will look for the generic "bad password" event, see this thread:
Actual Problem = Authentication.FailureReason
Wrong password = Wrong password
Locked out = Wrong password
Password expired = Wrong password
Not allowed computer = Wrong password
My apologies, Jon. i assumed I would have been able to mark this as an answer. While your advice did help a lot, it seemed like that particular user account had some issues. Also, when I observe the rule engine trace, I see that there are multiple authentication steps for a web request. I'd take a screenshot but my MWG appliance is currently down for some network reconfiguration. I have only one Authenticate With User Database rule so I'm not sure why I see two authenticate steps. I think that may have contributed to the account lockouts.
That might be a red herring
It is important to understand that NTLM authentication is a three step process, this is what you see in the rule traces.
The steps for MWG to authenticate a user are NEGOTIATE, CHALLENGE, AUTHENTICATE. So whenever you run a ruletrace or tcpdump, you will always see three requests before MWG allows it.
I have examples on this Best Practice:
We had a few users who experienced constant account lockouts when using MWG and NTLM authentication. Using our SIEM tool, we could see that it was the Alkami Network Interface on the end users computer that was locking the account.
We got on the users computer and disabled it and this fixed their issue. (Start - Run - msconfig - uncheck alkami - reboot).