Account lockout not working using UPN format to logon with forms-based authentication in ISA Server 2006


1. Introduction

 


Recently we received a support call from a customer saying that one of his network users was able to logon on to a secure web site published by ISA Server 2006 after typing a wrong password five times and finally typing the correct password on the sixth attempt. The account lockout policy for his company was set up to accept four attempts before it locks up the user account. This was an alert for his security staff since it could expose the page to a password brute force attack.


 


After assessing the environment we also noticed that if he typed the user account using domain\username such a thing did not happen and the account correctly locked up. The only way to bypass the account lockout policy was using the UPN (User Principal Name) to logon.


 


2. Environment


 


We were able to reproduce the problem in a lab. The lab was set up like this:


 



 


Figure 1 – Lab used to simulate the behavior.


 


As you can see in the lab above we were using the secure forms provided by ISA Server. In figure two we have the Web server publishing rule:


 



 


Figure 2 – ISA Server Rule


 


This rule uses a Web listener that uses LDAP authentication to validate the user’s credentials as shown below:



 


 


Figure 3 – LDAP Components


 


In Login Expression we have both formats available: SAM Based and UPN Based.


 


For more information on the LDAP configuration see the article Secure Application Publishing on Microsoft Technet.


 


3. Understanding the Logon Process


 


To better understand the logon attempts we enabled the netlogon logging on the domain controller. To do this run the following command on the Domain Controller:


 



nltest /dbflag:0x2080ffff


 


3.1. Using the SAM Account Name


 


When the user Bob tries to logon with the ISA Server 2006 Secure Form using the domain\username format and types the wrong password the following event is recorded on the netlogon log:


 



11/20 21:19:34 [LOGON] CONTOSO: SamLogon: Network logon of contoso\bob from ISACONTN2 Entered


11/20 21:19:34 [LOGON] CONTOSO: SamLogon: Network logon of contoso\bob from ISACONTN2 Returns 0xC000006A


11/20 21:19:40 [LOGON] CONTOSO: SamLogon: Network logon of CONTOSO\Administrator from DCCONT Entered


11/20 21:19:40 [LOGON] CONTOSO: SamLogon: Network logon of CONTOSO\Administrator from DCCONT Returns 0x0


11/20 21:19:40 [LOGON] CONTOSO: SamLogon: Network logon of contoso\bob from ISACONTN2 Entered


11/20 21:19:40 [LOGON] CONTOSO: SamLogon: Network logon of contoso\bob from ISACONTN2 Returns 0xC000006A


11/20 21:19:45 [LOGON] CONTOSO: SamLogon: Network logon of CONTOSO\Administrator from DCCONT Entered


11/20 21:19:45 [LOGON] CONTOSO: SamLogon: Network logon of CONTOSO\Administrator from DCCONT Returns 0x0


11/20 21:19:45 [LOGON] CONTOSO: SamLogon: Network logon of contoso\bob from ISACONTN2 Entered


11/20 21:19:45 [LOGON] CONTOSO: SamLogon: Network logon of contoso\bob from ISACONTN2 Returns 0xC000006A


 


The error code 0xC000006A means that the value provided as the current password is not correct. After four attempts (which was the company policy) we have the following event on the netlogon log:


 



11/20 21:19:51 [LOGON] CONTOSO: SamLogon: Network logon of contoso\bob from ISACONTN2 Returns 0xC0000234


 


The error code 0xC0000234 means that the user account has been automatically locked. Also we have the event below on the Event Viewer:


 


Event Type:   Success Audit


Event Source: Security


Event Category:       Account Management


Event ID:       644


Date:            11/20/2007


Time:            9:19:45 PM


User:            NT AUTHORITY\SYSTEM


Computer:     DCCONT


Description:


User Account Locked Out:


          Target Account Name:        Bob


          Target Account ID:    CONTOSO\Bob


          Caller Machine Name:         ISACONTN2


          Caller User Name:    DCCONT$


          Caller Domain:         CONTOSO


          Caller Logon ID:       (0x0,0x3E7)


 


 


3.2. Using UPN Format


 


When the user Bob tries to logon into the ISA Server 2006 Secure Form using the username@domain format and types the wrong password the following event is recorded on the netlogon log:


 



11/20 21:22:04 [LOGON] CONTOSO: SamLogon: Network logon of (null)\bob@contoso.msft from ISACONTN2 Entered


11/20 21:22:04 [LOGON] CONTOSO: SamLogon: Network logon of (null)\bob@contoso.msft from ISACONTN2 Returns 0xC0000225


 


The error code that it is recorded in this scenario is not 0xC000006A, instead we log 0xC0000225, which means STATUS_NOT_FOUND. Even when typing the incorrect password we do not lock the user account and the reason is because the number of unsuccessful logon attempts is not incremented by the authenticating domain controller.


 


4. How to Fix It


 


This is actually a problem already fixed in Windows Server 2003 SP2, however if you did not apply this recommended Service Pack yet you can apply the hotfix below to address this specific issue:


 


921063          Unsuccessful authentications are not counted as incorrect password logon attempts when you use the IADsOpenDSObject::OpenDSObject method to specify a UPN in a Windows Server 2003 domain http://support.microsoft.com/default.aspx?scid=kb;EN-US;921063


 


Note: make sure to also apply on the domain controllers.


 


 


Yuri Diogenes


Security Support Engineer – ISA Server Team


Microsoft Texas


 


Comments (2)

  1. Anonymous says:

    News Microsoft Internet Security and Acceleration Server Internet Security and Acceleration (ISA) Server