Why can I login to a locked account with the UPN?
I created a PSO policy that locks an account after 3 failed attempts. When I log in to OWA with an incorrect password 3 times, using the UPN, the account in AD is locked, but I can still log in with the UPN. I cannot log in with the user name
only. If I log in with the user name and do 3 failed attempts, and then use the correct password, the account is locked out. But I can still log in with the users UPN. This seems like a security issue. Does anyone know how to fix it?
February 1st, 2011 7:01pm
When you login with a UPN a global catalog must be located and used. When you don't use a UPN, any DC can authenticate you. I'm not sure what your issue is, but I'd investigate replication and configuration of GCs
Mike Crowley
Check out My Blog!
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2011 9:35pm
Only one DC and one GC (same box). The issue is that a user can still login to OWA when their account is locked out by using the UPN as the login. This should not be possible.
February 2nd, 2011 10:13am
interesting. I assume you're not using ISA or TMG either, right?
Mike Crowley
Check out My Blog!
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2011 10:50am
That is correct. I am running a simple 2 server network DC is Windows 2008 and Exchange 2007 is Windows 2008. Login 6 times with the username and incorrect password and the account is locked out and you cannot login with the username.
But you can login with the UPN. This seems like a security hole that could be exploited by a brute force attack.
February 2nd, 2011 11:11am
Something very odd is going on with Active Directory. If I log in with the username, the badPwdCount attribute is incremented by 2 for each failed login. If I login with the UPN, the badPwdCount attribute is incremented by 4. If the PSO
is set to lock out after 4 failed attempts, the user is locked out after 1 attempt using the UPN, and 2 attempts if using the user name.
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2011 11:24am
http://blogs.technet.com/b/isablog/archive/2007/11/28/account-lockout-not-working-using-upn-format-to-logon-with-forms-bases-authentication-in-isa-server-2006.aspx
This suggests there is a hotfix, but that would have been included in 2008 already. I suggest you contact PSS for further investigation.
Mike Crowley
Check out My Blog!
February 2nd, 2011 12:26pm
Hi there
This is happened to me and we have an audit that day and he gave us bad score because of this then i do some investigation the result was this.
If you enable the screen saver lockout policy in the GP it will lock the account after 3 , 4 attempt's or as you configured it then if you entered correct user name and password it will log you on then if you logged out and wanted to log
on again it will suspend you but if you disable the screen saver lockout it will suspend you from logging in from the first time even if correct user name and password used, its tested and i did this practically .
Try it and i hope it work with you.
Free Windows Admin Tool Kit Click here and download it now
April 10th, 2012 4:49pm