Highlighted
Absent Member.
Absent Member.
1934 views

ZCM agent causing locked AD accounts

Since upgrading to ZCM 10.3 (could have been happening before, but I don't think so) we've been having a recurring problem with user's AD accounts locking. We finally nailed down the sequence.

Our environment...

Novell Client 4.91 SP5 on the desktop
Active Directory (AD is the password authority)

1. User enters password into the Novell client but accidentally enters an upper case letter as lower (or vice versa)

2. eDirectory accepts the password because it's not case sensitive and passes it on to the Zenworks agent

3. Zenworks agent is unable to login because the password is incorrect

4. Look at users account in AD and instead of having 1 Bad password attempt they have 8!!!!

We allow 10 bad password attempts before locking an account. Why/what is trying the bad password 8 times before realizing that it's bad? Where is the setting that prevents this from happening?
Labels (2)
0 Likes
6 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: ZCM agent causing locked AD accounts

I would open an SR.

On 4/22/2010 4:06 PM, weinberd wrote:
>
> Since upgrading to ZCM 10.3 (could have been happening before, but I
> don't think so) we've been having a recurring problem with user's AD
> accounts locking. We finally nailed down the sequence.
>
> Our environment...
>
> Novell Client 4.91 SP5 on the desktop
> Active Directory (AD is the password authority)
>
> 1. User enters password into the Novell client but accidentally enters
> an upper case letter as lower (or vice versa)
>
> 2. eDirectory accepts the password because it's not case sensitive and
> passes it on to the Zenworks agent
>
> 3. Zenworks agent is unable to login because the password is
> incorrect
>
> 4. Look at users account in AD and instead of having 1 Bad password
> attempt they have 8!!!!
>
> We allow 10 bad password attempts before locking an account. Why/what
> is trying the bad password 8 times before realizing that it's bad?
> Where is the setting that prevents this from happening?
>
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: ZCM agent causing locked AD accounts

Oh, and I would be curious as to the number of "Authentication" servers
you have defined. As a test, try decreasing it to only one for some and
see if that effects the number of bad attempts recorded against AD.

On 4/22/2010 4:12 PM, craig wilson wrote:
> I would open an SR.
>
> On 4/22/2010 4:06 PM, weinberd wrote:
>>
>> Since upgrading to ZCM 10.3 (could have been happening before, but I
>> don't think so) we've been having a recurring problem with user's AD
>> accounts locking. We finally nailed down the sequence.
>>
>> Our environment...
>>
>> Novell Client 4.91 SP5 on the desktop
>> Active Directory (AD is the password authority)
>>
>> 1. User enters password into the Novell client but accidentally enters
>> an upper case letter as lower (or vice versa)
>>
>> 2. eDirectory accepts the password because it's not case sensitive and
>> passes it on to the Zenworks agent
>>
>> 3. Zenworks agent is unable to login because the password is
>> incorrect
>>
>> 4. Look at users account in AD and instead of having 1 Bad password
>> attempt they have 8!!!!
>>
>> We allow 10 bad password attempts before locking an account. Why/what
>> is trying the bad password 8 times before realizing that it's bad?
>> Where is the setting that prevents this from happening?
>>
>>

>
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: ZCM agent causing locked AD accounts

craig_wilson;1965714 wrote:
Oh, and I would be curious as to the number of "Authentication" servers
you have defined. As a test, try decreasing it to only one for some and
see if that effects the number of bad attempts recorded against AD.

On 4/22/2010 4:12 PM, craig wilson wrote:
> I would open an SR.
>
> On 4/22/2010 4:06 PM, weinberd wrote:
>>
>> Since upgrading to ZCM 10.3 (could have been happening before, but I
>> don't think so) we've been having a recurring problem with user's AD
>> accounts locking. We finally nailed down the sequence.
>>
>> Our environment...
>>
>> Novell Client 4.91 SP5 on the desktop
>> Active Directory (AD is the password authority)
>>
>> 1. User enters password into the Novell client but accidentally enters
>> an upper case letter as lower (or vice versa)
>>
>> 2. eDirectory accepts the password because it's not case sensitive and
>> passes it on to the Zenworks agent
>>
>> 3. Zenworks agent is unable to login because the password is
>> incorrect
>>
>> 4. Look at users account in AD and instead of having 1 Bad password
>> attempt they have 8!!!!
>>
>> We allow 10 bad password attempts before locking an account. Why/what
>> is trying the bad password 8 times before realizing that it's bad?
>> Where is the setting that prevents this from happening?
>>
>>

>
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.


Where would I find the authentication servers?
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: ZCM agent causing locked AD accounts

weinberd;1965710 wrote:
Since upgrading to ZCM 10.3 (could have been happening before, but I don't think so) we've been having a recurring problem with user's AD accounts locking. We finally nailed down the sequence.

Our environment...

Novell Client 4.91 SP5 on the desktop
Active Directory (AD is the password authority)

1. User enters password into the Novell client but accidentally enters an upper case letter as lower (or vice versa)

2. eDirectory accepts the password because it's not case sensitive and passes it on to the Zenworks agent

3. Zenworks agent is unable to login because the password is incorrect

4. Look at users account in AD and instead of having 1 Bad password attempt they have 8!!!!

We allow 10 bad password attempts before locking an account. Why/what is trying the bad password 8 times before realizing that it's bad? Where is the setting that prevents this from happening?


While not answering your last question there, what if you enable Universal Password in eDir and enforce case-sensitivity so that if they enter the wrong case, it gets caught there?

(again, I know I didn't answer your "why does it use 8 logins instead of 1"). For that part, I agree with Craig to open an SR. I'm not sure if the full logging on the agent would even list how many times and what different things are passing the authentication to AD.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: ZCM agent causing locked AD accounts

I am seeing a similar issue, but I am not using the Novell Client. If a user mistypes his/her password once their AD account is locked, although they will still login into windows the ZENWorks agent just won't authenticate. And if I go and check the AD account it is in fact locked. We didn't see this issue until we start testing Windows 7. Were you able to fix you issue?
0 Likes
Absent Member.
Absent Member.

Re: ZCM agent causing locked AD accounts

We never fixed the problem and as far as I know the problem still exists, I just never followed up with Novell on it. At the time that we first started noticing the problem, our AD Group Policy was set to allow 10 invalid login attempts. As my initial post indicated, one wrong password would trigger 8 invalid logins (crazy!!!), so a second attempt would lock the account. We bumped up the invalid login attempts to 20 as a way of dealing with the problem until time allows for a real solution.

Anyone on ZCM 11 know if this is still an issue?
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.