Hi,

I'm trying to find out information on account lockouts on UAG.  We can see a user been locked out when they come in via our UAG's however we have no idea what exactly is locking out the account.  The error in the Security log on the UAG servers is generic without much information.  We publish Outlook Anywhere, OWA and ActiveSync via UAG and I cannot determine which of these is locking the specific user out.  Is there way to determine this?

Thanks,

You need to enable auditing for your domain controllers and servers. It's done using group policies:

Auditing for Domain Controllers:
1. Navigate to Start > Programs > Administrative Tools > Group Policy
Management.
2. In the Group Policy Management console, expand the Forest:
<domain_name> > Domains > <your_domain_name> > Domain Controllers node

3. Right-click Default Domain Controllers Policy and select Edit from the popup
menu.
4. In the Group Policy Object Editor, under Computer Configuration, expand the
Windows Settings > Security Settings > Local Policies node and select Audit Policy node

5. Set the Audit Account Management parameter to Success, and Audit Logon
Events and Audit Account Logon Events to Failure.

Auditing for Domain:

1. Navigate to Start > Programs > Administrative Tools > Group Policy
Management.
2. In the Group Policy Management console, expand the Forest: <domain_name> >  Domains > <your_domain_name> node
3. Right-click the Default Domain Policy node and select Edit from the popup
menu.
4. In the Group Policy Object Editor, under Computer Configuration, expand the Windows Settings > Security Settings > Local Policy node and select the
Audit Policy node
5. Set the Audit logon events parameter to Failure.

Then check for events with id 4740 in the Security logs. Additionally you may use Microsoft Account Lockout Tools or our free tool Netwrix Account Lockout Examiner

Do you have this key on the UAG ?

HKLM\Software\Whalecom\e-gap\von\urlfilter 
 
DWORD value:   FullAuthPassThru=1

This should bypass the authentication on the UAG and go directly to the back end server, in case of Exchange, the exchange server should authenticate the connection and it should appear on your logs to be locked on the exchange server.