Re: ADAM not honoring account lockout policy on Workgroup 2K3

These are pure ADAM principals. I'm prototyping the security for an extranet
application that by company policies can't even look sideways at AD. So we
created a 2K3 server outside of the domain and installed ADAM and IIS.
I'm having to role-my-own membership provider since the existing .Net
provider doesn't support Digest and we don't want to go SSL or plain text.

I definately haven't changed the ADAMDisablePasswordPolicies, it's still at
0.
That's one of the first things I looked at.

I just enabled failure audits (success was already on) as you suggested,
and
nothing shows. I see my RDP logon as well as the remote debugger session
but nothing else. I can see the badPasswordCount go up to 8 (the policy
limit is set to 5) and lockoutTime is still 0.

Would the authentication of ADAM principals even show in the event log?
I'm still not totally clear on what is happening under the covers here, i.e.
when
and how ADAM calls netapi, etc. - even though I've been researching this
for several days now.

Thanks......

Jim

"Lee Flight" <lef@xxxxxxxxxxxxxxx> wrote in message
news:eUULM%23RHHHA.3292@xxxxxxxxxxxxxxxxxxxxxxx
Hi

what kind of ADAM users are you testing, native ADAM users?
If you enable "Audit logon eevnts" in your server security policy
you should see the Success/Failure audits for the ADAM users
in the security event log and the Failures should log the failure codes
e.g. 0xc0000234 for account lockout.

Something else to check is that the ADAM instance default behavior has not
been
changed with respct to password policies:

You can disable the enforcement of password
policy settings in ADAM by setting ADAMDisablePasswordPolicies,
a value in the attribute msDS-Other-Settings on
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={GUID}
to 1.

Lee Flight

"jpierson" <jpierson@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:364D0C5C-7BCB-4383-9995-F2DEDE9FC869@xxxxxxxxxxxxxxxx
I must be overlooking something real stupid.

All the docs state that ADAM will use the policies of the host machine,
but
try as I may, I can't get ADAM to lockout an account due to bad
passwords. I
have confirmed that the policy is in effect by creating a bogus account
on
the server and failing authenication enough times to lock out the Windows
account, but I can supply bad passwords for my ADAM accounts till the
cows
come home without triggering an account lockout.

Any pearls of wisdom to point me in the right direction?






.

Relevant Pages

  • Re: ADAM Security Logging
    ... so if you look at the effective local security policy on the ADAM ... "Audit account management". ... account "Generate security audits" right in User Rights Assignment ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Security Logging
    ... so if you look at the effective local security policy on the ADAM ... "Audit account management". ... account "Generate security audits" right in User Rights Assignment ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Security Logging
    ... the User column of the ADAM instance event log for a native ADAM ... user - I think they need a windows security principal for that. ...  This works great when an AD account ran the query, ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Security Logging
    ... the User column of the ADAM instance event log for a native ADAM ... user - I think they need a windows security principal for that. ...  This works great when an AD account ran the query, ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM and Windows Address Book
    ... credentials instead of a fixed service account. ... it is a special LDAP control supported by AD and ADAM ... If I couldn't make it work for WAB, ... credentials in the WAB settings in order to authenticate. ...
    (microsoft.public.windows.server.active_directory)
Loading