Windows account lockout

[Patrick Kennelly]

Some users seemed to be getting locked out randomly when using the VPN on NS 10.5. I have a program that tell me when an account is locked and where from.

 

Usually it iwill say PC1234,

 

but in this case it comes up as NETSCALER.

 

Any ideas or what logs to look in?

 

Thanks

[Paul Blitz]

There should be information in the Syslog, which you can view and filter from the GUI.

 

How is your LDAP auth set up? Is it using a Load Balancer, or do you simply have multiple LDAP policies (pointing to multiple DCs) bound to the vserver?

 

You'll find that the requests will come from the NSIP (SNIP if load balanced), which is why they appear to come from the NS.

[Patrick Kennelly]

Just 2 LDAP servers  bound to the Vserver.

[Patrick Kennelly]

What would I look for in the NS logs?

[Patrick Kennelly]

Anyone?

 

If I deliberately lock out my account, I see the origin client as my laptop, but these users are seeing NETSCALER, that’s not hostname of my NetScaler’s

[Patrick Kennelly]

I see this in the domain controler logs

 

The computer attempted to validate the credentials for an account.

Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    user.name
Source Workstation:    NETSCALER
Error Code:    0xC000006A

[Paul Blitz]

What happens is that the client enters the credentials on the netscaler login page. The netscaler then uses its credentials to do an LDAP check on the client's credentials, so yes, the LDAP request is indeed coming from your netscaler.

 

When a user logs in with bad credentials, it will fail on the first bound LDAP, so Netscaler will now try the second LDAP. From the domain's perspective, it just saw TWO bad logins.

 

If the user logs in a second time with bad credentials, that's a 3rd and 4th bad login = account locked.

 

That is (one reason) why an LDAP load-balancer should be used: each user login (bad) request then only causes the domain to see ONE bad login.

 

Bad logins should show up in the Netscaler syslog, so you might want to go take a look to see if that gives some hints.

 

You can monitor logins real-time by going to the CLI, then typing "shell" and then "cat /tmp/aaad.debug" (ctrl-c to stop)

[Vivak HANGLOO1709158821]

Did you find any solution for this??

[Dhandapani K1709161007]

Hello All,

 

Is there any solution found for this issue. we are experiencing the same issue with many users.

 

[Tim Sievers]

If anyone is still struggling with this, it's very possible that you need to add the full distinguished name and not user@domain for the bind DN that the documentation alludes to.

 

Bad: citrix@domain.org

Good: CN=citrix,OU=Users,DC=domain,DC=org