[THIN] Re: Account Lockouts
- From: "Jeff Durbin" <techlists@xxxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Tue, 19 Apr 2005 15:48:58 -0700
Check the time on the DC and Server A. If they're more than 5 minutes apart
(I think it's 5 minutes), your Kerberos tickets could be expired and may be
causing the authentication failures that lead to account lockout.
JD
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Brookus, Tony (ITCD)
Sent: Friday, April 15, 2005 12:35 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Account Lockouts
I think I've seen this issue posted before (once by me) without a good
resolution, so thought I'd give it another shot.
Setup :
Windows 2003 (all critical hotfixes) (also tried SP1)
Metaframe XP FR3 SP4, though problem also occurs via RDP
Steps :
- Log into Server A once as a user, then logoff
- Reset password (from hyena, mmc, or user reset from a different server)
- Log into Server A with new password
- Account is (nearly) immediately locked out (5 retry limit in place)
I've set the number of cached logins to 0 via GPO, enabled Kerberos logging
(also tried maxpacketsize and max tokensize settings), alockout.dll which
didn't tell me anything, and disabled UPHClean. Logs tells me nothing
enlightening. I've eliminated login scripts or any drive mapping as the
cause. The only "fixes" are to either reset the user's password to the old
password or to reboot that terminal server (scheduled reboots weekly). We
are currently in an AD domain, which has only made the problem worse (I can
actually recreate the problem now). With a NT domain, the problem was more
sporadic.
As best I can figure, the terminal server is somehow caching the account's
password. The domain obviously know the correct one, but the server itself
doesn't seem to want to believe it.
This is causing major headaches for me and way too many calls to the Help
Desk. Short of calling Microsoft, I'm stumped. Anyone have any thoughts?
Thanks,
Tony
Other related posts:
