Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Active directory badPwdCount attribute does not replicate
Active directory badPwdCount attribute does not replicate [message #160938] Thu, 10 September 2009 16:23 Go to next message
jminder  is currently offline jminder  United States
Messages: 1
Registered: September 2009
Junior Member
Questions related to scenario described below...

1. Have I completely missed something obvious here which has already
been solved and allows round-robin across the entire pool of
servers?

2. Is there any LDAP modify operation you can issue after a user
successfully binds which causes AD to update badPwdCount=0 on all
domain controllers? I would prefer to avoid sending binds to all the
domain controllers in parallel, but am OK if there is something AD
will do behind the scenes which accomplishes the end goal.

3. Is there a way to force badPwdCount to replicate? AD setting...?




In setting up an application which runs on Linux to leverage active
directory for authentication purposes via LDAPS I have run across a
behavior which seems counter-intuitive. This behavior prevents
applications from leveraging AD in round-robin mode effectively
because the attribute (badPwdCount) is not replicated across domain
controllers. If you have a policy to lock accounts which fail
authentication after 3 attempts, these three attempts would be spread
across the servers in the round-robin pool, not contained in one place
during policy evaluation. Effectively this circumvents the desired
effect which is to lock the account when a user enters 3 bad
passwords.

If your application is configured to communicate in fail-over mode to
AD, then the 3 bad attempts would be contained on the same domain
controller assuming a fail over did not occur between your attempts.
Continuing to enter bad passwords for the same account will ultimately
trigger a lock on the account. This is contained in the
userAccountControl attribute, and this attribute does replicate.
Getting an administrator to unlock the account leaves the previous
badPwdCount values on the domain controllers in the pool. If the user
were then to go back and begin entering bad passwords, they would
again reach a locked state at the point in which they accumulate a
value of 3 on any one of the domain controllers. This time this
should happen much sooner because they began with some of them
preloaded with bad attempts from the first time the account was
locked. To make matters worse one would expect successful
authentications would overwrite badPwdCount when the user successfully
logs in. Actually it does, but only for the domain controller where
the bind occurred. All the other domain controllers still have values
present for badPwdCount. This will cause the user to receive
inconsistent account locking because they have no way to predict what
state their account is currently in. This is more a concern for
testing purposes, but its still a HUGE problem.





Regards,

-Inet
Re: Active directory badPwdCount attribute does not replicate [message #160945 is a reply to message #160938] Fri, 11 September 2009 00:04 Go to previous message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

jminder schrieb:
> 1. Have I completely missed something obvious here which has already
> been solved and allows round-robin across the entire pool of
> servers?

The attribute isn't replicated among the DCs. As far as I know, you
can't trigger it to be replicated among the DCs.

In a domain with domain functional level 2008, there's "last interactive
logon" which does that:
http://technet.microsoft.com/de-de/library/dd446680(WS.10).aspx

> 2. Is there any LDAP modify operation you can issue after a user
> successfully binds which causes AD to update badPwdCount=0 on all
> domain controllers? I would prefer to avoid sending binds to all the
> domain controllers in parallel, but am OK if there is something AD
> will do behind the scenes which accomplishes the end goal.

I understand. Unfortunately, you'd have to do that in order to reset all
badPwdCounters. The question is whether this is really necessary and
whether there will be a good amount of users that are hit by this
"circumstance" that you'd really have to code that functionality.

> 3. Is there a way to force badPwdCount to replicate? AD setting...?

The attribute isn't replicated at all. What is replicated instead is the
account lockout - that's done by a special out-of-band rep that isn't
bound to replication times (urgent replication). If one of the DCs lock
the user out, it's replicated.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Previous Topic:NETLOGON.LOG NO_CLIENT_SITE from workstations from another forest!
Next Topic:What is the Licensing server role ?
Goto Forum:
  


Current Time: Wed Jan 17 05:47:00 MST 2018

Total time taken to generate the page: 0.01920 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software