Jump to content


Account Lockouts with Pass-through Authentication

Started by David Tiede , 08 January 2008 - 03:26 PM
19 replies to this topic

David Tiede Members

David Tiede
  • 8 posts

Posted 08 January 2008 - 03:26 PM

Some of our user accounts are getting locked out when using the PNA and pass-through authentication.

We're running Windows Server 2003 SP2 with PS 4.5. We have a web interface server (for the PNA) and one presentation server. In the event log on our DC I get Logon/Logoff 529s and Account Logon 680s.

Any ideas what could be going on? I've tried recreating user accounts, rejoining computers and the server to the domain, reinstalling the client, deleting profiles, and changing authentication methods on the WI.

David Tiede Members

David Tiede
  • 8 posts

Posted 11 January 2008 - 03:43 PM

No one has ever experienced this problem?

Peter Bieganski Members

Peter Bieganski
  • 4 posts

Posted 11 January 2008 - 07:32 PM

Have the accounts that have been locked, recently changed thier password.
Seems to me that the pnagent on login takes the login information and passes it on when requested by citrix.
if the AD info has changed and pna is not aware until they relogin completely in AD.

does this make sense?

David Tiede Members

David Tiede
  • 8 posts

Posted 15 January 2008 - 03:22 PM

They have not recently changed passwords in any of the cases I've seen. The credentials are up to date.

The oddity is that the event log shows a couple bad username or password events, but after that the authentication succeeds and they are able to get into the appplication. The only time they get locked out is if they access an application 5 times within a five hour period. (Account lockout is set to 10 attempts with reset after 5 hours - starting a published application triggers two bad username/password events.)

It appears the NTLM authentication is failing and Kerberos is succeeding. Is there a way I can disable the NTLM authentication on Citrix to test this theory?

Chris Wallis Members

Chris Wallis
  • 50 posts

Posted 15 January 2008 - 04:14 PM

we have the same problem - but with PS4.0 - we haven't finished the rollout for 4.5 yet so haven't seen whether this issue appears again.

We thought it might be to do with either applications that can't use SSO so require to reauthenticate or
diconnected sessions reconencted and doing something funny

Lutz Herzog-Odena Members

Lutz Herzog-Odena
  • 61 posts

Posted 31 January 2008 - 05:40 PM

Any update on this?
We have users whose accounts get locked out only minutes after unlocking them when they access published apps via Access Gateway. Once they are logged on, they can continue with their work, but the next logon attempt will (correctly) fail.

Message was edited by: lherzogo

OK, problem here was published app Outlook. After adjusting the "options>security>settings for automatic downloads..." settings and changing the saved proxypasswd, the problem was solved.
We use the domain account also for proxy auth.. As the profile-saved proxypasswd was no longer equal to the current domainpwd after a password-change , Outlook tried to use this saved (old) passwd too many times which resulted in the lock out of the domain account.

Administrator Administrators

  • 2 posts

Posted 01 February 2008 - 03:43 PM


I have the same problem.
Citrix MPS4, Win 2003 SP1, and PN Agent from the Citrix 9.2 client.
Lots of account lockouts for users who connects to Citrix via the PN Agent.
No account lockouts with people who only use a published desktop via the Citrix Program Neighborhood.
Maybe make a Citrix call for this?

David Tiede Members

David Tiede
  • 8 posts

Posted 01 February 2008 - 03:48 PM

We rolled back to Citrix 4.0 and no longer have any issues.

Brian Cooper Members

Brian Cooper
  • 25 posts

Posted 01 February 2008 - 05:12 PM

Are users mapping any network drives during logon via a logon script?

I've seen issues where the user will access their apps and since they are receiving network drives they are trying to access those simultaneously. If they fail to login to three of those drives, they will be locked out.

If this is the case try placing the script in test OU and check to see if your test users fail to map these drives.

adversly...you can try to have one of the effected accounts login to the desktop of a server (under supervised access, of course) with the network drives mapped and see if they have access to them...if you have three mapped when they connect...see if their user account becomes locked after login.

If your domain policy is set to more then three failed attempts then add the appropriate amount of network mapped drives.

I hope this helps.

David Tiede Members
  • #10

David Tiede
  • 8 posts

Posted 01 February 2008 - 05:48 PM

We're still having this issue.

That doesn't help, we are using pass through authentication. If Citrix is passing bad credentials, how can we control it?

Robert Lloyd Members
  • #11

Robert Lloyd
  • 980 posts

Posted 01 February 2008 - 06:41 PM

I've seen this with password caching.....

David Tiede Members
  • #12

David Tiede
  • 8 posts

Posted 20 March 2008 - 02:01 PM

We still have not been able to resolve this issue, has anyone else figured this out?

If it were password caching, where would I look for that?

Dennis Boyce Members
  • #13

Dennis Boyce
  • 1 posts

Posted 02 April 2008 - 08:58 PM

Doesn't Citrix ever look at these forums?

I'm evaluating the sw and having this issue.

How do they expect me to buy it if they don't solve these problems?

James Moore Members
  • #14

James Moore
  • 242 posts

Posted 03 April 2008 - 12:32 PM

Here's a theory.....

This may be a problem with synchronization between multiple domain controllers. This happens particularly when a user has recently changed a pass word. What happens is this: Which ever domain controller the user was on when he changed his password, has the password recorded. The next time the user logs in and gets a different domain controller, THAT domain controller does NOT have the new password, it's looking for the old one, user doesn't use it, THAT controller locks the user out. User gets password reset and the entire scenario starts again.

Microsoft has several fixes for this, most of which involve re-assigning domain roles and synchronization configuration.

Stephen Maynard Members
  • #15

Stephen Maynard
  • 2 posts

Posted 02 June 2008 - 10:35 AM

David, did you ever find a solution to this problem?
We have started experiencing exactly the same symptoms (although only with PS 4.0)... Accounts getting locked out after successfully logging on through PNA. We have locked down desktops preventing any rogue applications, services etc and there are no replication issues between our handful of domain controllers. We enforce monthly password changes but have seen problems with passwords that have been unchanged for at least two weeks.

This is proving extremely difficult to resolve and any new information would be very useful.

David Tiede Members
  • #16

David Tiede
  • 8 posts

Posted 02 June 2008 - 01:29 PM

We never found a solution to this problem. Citrix didn't provide any help either. We migrated back to PS 4.0, but still have the same problem. (It's not a password sync issue between DCs)

Stephen Maynard Members
  • #17

Stephen Maynard
  • 2 posts

Posted 03 June 2008 - 09:14 AM

Looks like we may have found a solution to our problem - our Antivirus product (eTrust) looks like it is responsible. Removing the "Protect network drives" option has stopped the account lockouts on our test server.

Erik Mast Members
  • #18

Erik Mast
  • 1 posts

Posted 17 September 2008 - 02:42 PM


I have this problem also. And we to use E-trust. Can you confirm e-trust is causing this? I have realtime already of on the PS 4.5 servers.

With kind regards,

Erik Mast

Oscar Nogales Members
  • #19

Oscar Nogales
  • 4 posts

Posted 09 December 2008 - 11:46 AM

I was suffering the same problem, getting users locked on AD when logging from AG 4.5 to WI on PS 4.5 with SSO between AG and WI.

In my case, I have Trend Micro Antivirus installed on Citrix Server with Network file protection enabled. I have disabled it and the issue has disappeared.

Hope this info helps.

Sandy Williams Members
  • #20

Sandy Williams
  • 23 posts

Posted 09 December 2008 - 09:28 PM

Just a suggestion, check password caching -- if it's XP go to Control Panel, User Accounts , click Advanced tab, click the Manage Passwords button, remove whatever is in that window and close and try again ?