cancel
Showing results for 
Search instead for 
Did you mean: 
kbolt
Level 10

Constant Windows Domain User Lockout

Hello all, I've been experimenting with the Explicit Proxy Authentication and Authorization ruleset so that I could control which AD groups would have access to the web. I've been using this setup without issue for sometime now in my test area but all of a sudden the user account I've been testing with is constantly being locked out which leads to the Authentication Prompt showing up in the browser. I'm not sure why that happens but when I look at the Rule Trace, I see a LOT of authenticate actions, for each of the URLs that would be contacted in loading YouTube's homepage for example.

I theorized that the constant authentication requests may have "bombarded" the DC thereby making the account locked out so I tried to increase the TTL for the NTLM cache to 5 minutes but I've seen no change yet. I'm currently using the stock Authentication ruleset with the User Database at Authentication server setting. Any assistance would be greatly appreciated.

0 Kudos
5 Replies
McAfee Employee

Re: Constant Windows Domain User Lockout

Hi Kbolt!

I've run into this issue a number of times and it usually ends up being the Credential Manager on the workstation. Clearing that out will usually resolve the issue for the user.

If you wanted to track something like this, I created a log which will look for the generic "bad password" event, see this thread:

Also it is worth noting that the Authentication.FailureID is the same (3) for different type of events ():

Actual Problem = Authentication.FailureReason

Wrong password = Wrong password

Locked out = Wrong password

Password expired = Wrong password

Not allowed computer = Wrong password

Best Regards,

Jon

McAfee Employee

Re: Constant Windows Domain User Lockout

Hi kbolt,

Did this work for you? I saw you liked it. I have posted this information a number of times, but didnt get much feedback.

Best Regards,

Jon

0 Kudos
kbolt
Level 10

Re: Constant Windows Domain User Lockout

My apologies, Jon. i assumed I would have been able to mark this as an answer. While your advice did help a lot, it seemed like that particular user account had some issues. Also, when I observe the rule engine trace, I see that there are multiple authentication steps for a web request. I'd take a screenshot but my MWG appliance is currently down for some network reconfiguration. I have only one Authenticate With User Database rule so I'm not sure why I see two authenticate steps. I think that may have contributed to the account lockouts.

0 Kudos
McAfee Employee

Re: Constant Windows Domain User Lockout

Hi Kbolt,

That might be a red herring

It is important to understand that NTLM authentication is a three step process, this is what you see in the rule traces.

The steps for MWG to authenticate a user are NEGOTIATE, CHALLENGE, AUTHENTICATE. So whenever you run a ruletrace or tcpdump, you will always see three requests before MWG allows it.

I have examples on this Best Practice:

https://community.mcafee.com/servlet/JiveServlet/download/4384-6-61924/1.5.0_directproxy_ntlm.pcap.z...

Best Regards,

Jon

rwp747
Level 7

Re: Constant Windows Domain User Lockout

Hi folks,

We had a few users who experienced constant account lockouts when using MWG and NTLM authentication.  Using our SIEM tool, we could see that it was the Alkami Network Interface on the end users computer that was locking the account.

We got on the users computer and disabled it and this fixed their issue. (Start - Run - msconfig - uncheck alkami - reboot).

Cheers,

Randy