This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN single mistyped password causes AD lockout

We have SSL VPN connected to our Active Directory domain controllers. We found that after configuring the VPN our users were routinely locking out their AD accounts. This is happening after a single mistype of a password on the SSL VPN. I have researched the issue and other posts seem to indicate that having multiple domain controllers configured in "Authentication > Servers" is the cause. Possibly that a single mistype of a password tries to authenticate against DC1, then after failure it moves to DC2, 3, and so on until it gets to lockout threshold or gets a correct password.

Is this really what is happening? If so, is there anything I can do to make it so that this doesn't happen? Shouldn't an incorrect password come back and not try to move on to the next domain controller? Does this happen to anyone else and if so what did you do to remedy it?

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 4 years ago +1

XG tries always multiple AD Server, if there are different Domain per AD Server selected. For example AD Server1: .local AD Server : .com So XG will try to map your user against .local and .com. This…

Parents

0 LuCar Toni over 4 years ago

XG tries always multiple AD Server, if there are different Domain per AD Server selected.

For example AD Server1: .local AD Server : .com
So XG will try to map your user against .local and .com. This causes two authentication requests against the AD forest, in your case.
Cancel
Vote Up +1 Vote Down

Cancel

Reply

0 LuCar Toni over 4 years ago

XG tries always multiple AD Server, if there are different Domain per AD Server selected.

For example AD Server1: .local AD Server : .com
So XG will try to map your user against .local and .com. This causes two authentication requests against the AD forest, in your case.
Cancel
Vote Up +1 Vote Down

Cancel

Children

0 Josh Rogalski over 4 years ago in reply to LuCar Toni

I have a sub domain, but even so this still doesn't fix the issue of a user accidentally typing the password wrong a single time, and then getting locked out because of it. What does one do about that? (berating users to type things correct is unfortunately not an option ha).
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 4 years ago in reply to Josh Rogalski

How many ADs do you have? And how many did you configure? How many sub domains do you manage and is it one forest?

Multi AD in XG will each user against each AD.

Quick and dirty workaround would be to increase the value until AD will lock this user.

If you go to the logviewer, you should be able to see under authentication each auth try.
Cancel
Vote Up 0 Vote Down

Cancel
0 Josh Rogalski over 4 years ago in reply to LuCar Toni

1 domain for staff, and 1 subdomain for students.

4 DC's on the "staff" domain

4 DC's on the "student" domain
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 4 years ago in reply to Josh Rogalski

Those are many DCs, any reason for those many DCs? Just wondering, as most people have one forest and some DCs for each domain but not 8 in total for 2 domains.
Cancel
Vote Up 0 Vote Down

Cancel