General discussion


Services/clients and authentication?

By cp7212 ·
I am having a random account lockout issue with clients on our network. I have a funny feeling that something is not being authenticated and once the DC gets the third unsuccessful request, it locks the account, per our account lockout policy. These clients are usable by a majority of our associates.

Normally, I would think a user was locking it out, but the randomness makes me think otherwise. Could anyone give me some suggestions as to which services and/or clients need authentication? I know ntpclient is one....

I don't have access to the servers to check the authentication, I need to go through someone else. But if I don't present a case, they won't take me seriously. It stinks, but someone's got to do it. Thanks all for helping me out.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to Services/clients and auth ...

Random lockouts are not an unusual phenomenon, if you have systems which are still using NTLM authentication.

You must remember that a client attempts to authenticate Kerberos before attempting NTLM. This mean that each bas password attempt to a NTLM-authenticated resource actually counts for 2 bad login attempts and not 1.

If you are set to 3 bad login attempts lockout, your client will get only 1 login attempt. Since the Kerberos will be automatically rejected by the NTLM-authenticated resource, your client will be locked out on their second attempt to authenticate.

Microsoft has recommended that bad login attempt lockout in an NTLM environment be set to no less than 10. Although, most security people have a fit seeing it set this high, this will prevent the majority of the account lockout events.

Collapse -

by cp7212 In reply to

I was hoping you could give me some more info on this, but you definitely pointed me in a good direction.

Collapse -

by cp7212 In reply to Services/clients and auth ...

Sorry to ask another question. You said that Kerberos can count as two failed authentications. Is this from a telnet and a rlogin attempt? Or could you please explain how it counts as two? Thanks again for the help.

Collapse -

by cp7212 In reply to Services/clients and auth ...

This question was closed by the author

Related Discussions

Related Forums