Authentication: Access SharePoint Locks AD Account

RobertKaucher

I could use some help. I've not had the time to do a capture with WireShark because it's end of year and the user is exceptionally busy. Here is the issue:

* User's account is fine until he access SharePoint (WSS 3.0 using NTLM auth). After doing some work, passthrough NTLM with IE7 is all fine, until suddenly he will be prompted to enter his password.
* If I check his account status in AD I can see he is locked out.
* SharePoint server is in another forest. I have no admin rights in the user's forest.
* I have verified he has no services running under his account.
* He has no open TS sessions as they do not use TS.
* He says he sees this more often while using Office integration on SharePoint. Meaning he is working with Excel or PPT files on the SP server in the thick clients. I believe that is just because it's how he uses SP.
* No other user is experiencing this.
* We have a semi-prod SP 2010 system using Kerberos auth. He has no issues using that system.
* I have added the SP server to trusted sites and they are set to "low".
* I have reset IE to factory.
* Local IS support only deals with IE 7 so I cannot upgrade him.

Any suggestions?

RobertKaucher

Ok, I witnessed his account get locked out this morning while he was standing up talking to someone in the other person's cube and his PC was hybernating... The plot thickens.

Everyone

Search the security log on the DC(s). Should give an indication of where the unsuccessful logon attempts are coming from.

vCole

I had a PowerShell script that would find this information for you if you put in the username. Let me see if I can dig it up.

There we go:

Get-WmiObjectWin32_Process -ComputerName("dc1","dc2", "dc3") | Where-Object{$_.GetOwner().User -eq "username"} | Select-Object-Property("csname", "name")

RobertKaucher

RobertKaucher wrote: »

I have no admin rights in the user's forest.

I have no ability to access the DCs.

it_consultant

Yeah, it sounds like something is repeatedly entering his password incorrectly. Like he has an application that saved his PW and it never got updated when he reset his password.

CodeBlox

This happens very often on our helpdesk. I get a call from someone who was prompted for a username and password from sharepoint. If they close the window, it counts as a bad password attempt and eventually locks their account in Active Directory. It also happens to some who have sharepoint calendars in outlook too. Despite as much as I've gone through IE settings, nothing there ever fixes it and I end up referring them to the sharepoint admin. Our users use IE7 also.

vCole

RobertKaucher wrote: »

I have no ability to access the DCs.

Ah my bad, missed that part!

RobertKaucher

It was not SharePoint. Here is how it went down:
1. User went to New Zealand office with his Verizon BlackBerry
2. NZ net admin set him up on the global wifi so he could get data while in the office.
3. User kept wifi enabled (WPA Ent/RADIUS) and changed his AD password.
4. WiFi connection on BB kept trying to authenticate with his old password once he came back to US.

UUUUUGH!

Initially I thought it was the issue CodeBlox was talking about because the user kept experiencing it in SHarePoint - but that was a consequence of how he worked, it was not what caused the problem. And that influenced my initial description of the problem.

CodeBlox - if you see this the way to fix it is in the credentials prompt where it says sign in with other credentials have them enter their domain\username and password.

If you re-use the credentials by just entering your password it does not work. They have to re-enter their credentials as if they were signing in as another user. I've seen taht one a bunch as well.

Thanks to all who responded!!!

CodeBlox

Thing with some of these people with their accounts in active directory is that they don't really use a username and password to login. They login with smartcards with a single PIN. The password for the account gets scrambled so they never know it. What happens then? I know nothing about sharepoint but is there a separate set of credentials for that? I'll keep this in mind for those not using smartcards.

Everyone

CodeBlox wrote: »

Thing with some of these people with their accounts in active directory is that they don't really use a username and password to login. They login with smartcards with a single PIN. The password for the account gets scrambled so they never know it. What happens then? I know nothing about sharepoint but is there a separate set of credentials for that? I'll keep this in mind for those not using smartcards.

While checking the "Smart card required for interactive logon" box does generate a large complex password, you can still change the password (while leaving that enabled) on the account, and they still have a username.

Also SharePoint can use PKI (any web based system can pretty easily), in fact all DoD SharePoint sites are required to use it. You shouldn't see this issue with a smart card user.