All,
I have external AD forest created in DMZ, 1 DC (2012 R2), running windows CA and ADDS , for which only LDAPS port 636 is enabled to other network.
There is another one 2008 R2 web server which is in workgroup, Application (Java based)running on this box connects to this DC through LDAPS for user authentication\user account creationn\deletion using a LDAPS service account (used inside the application).
All was setup and was working fine. However it’s been found that as per AD policy auto unlock of AD account was not working after 30 minutes (In AD policy its set that after 3 wrong password, to lock account and another policy to unlock the account after 30
minutes).
After troubleshooting I found that, all the accounts which was able to successfully authenticate to AD has below sequence of events.
4776-Credential validation
4648-explict credential Logon Audit.
4624- Successful logon audit
4634- Logoff event
However user who have tried with wring password more than 3 times has below scenario
1.After 3 bad password attempts, users are not able to login.
2.Accounts are actually not getting locked (no account lockout event) in AD.
3.Administrator logged into AD, unlock account from user account properties (though the account is not locked as per AD log). User will be able to login with right password.
4.Since the accounts were not getting locked, it was not getting unlocked by policy, however they were not able to login even though they use right password after 3 attempts.
5.If I directly RDP to DC with bad password account lockout event is logged. However if you come through the application authentication (LDAPS account) it’s not getting locked.
I suspect that the in event ID 4624 , the impersonation level is set to impersonation, So the bad password attempts are not considered as from direct user object, since LDAPS service account is impersonating the actual user account, the actual user
account is never locked, let me know if this is right.
I also suspect that impersonation level is set in application, nothing to configure in AD.
Please let me know your thoughts, I never seen this behaviors, this is really something new to me. i have to enable auto unlock feature working.
Thank you..