Recently we received a support call from a customer saying that one of his network users was able to logon on to a secure web site published by ISA Server 2006 after typing a wrong password five times and finally typing the correct password on the sixth attempt. The account lockout policy for his company was set up to accept four attempts before it locks up the user account. This was an alert for his security staff since it could expose the page to a password brute force attack.
After assessing the environment we also noticed that if he typed the user account using domain\username such a thing did not happen and the account correctly locked up. The only way to bypass the account lockout policy was using the UPN (User Principal Name) to logon.
We were able to reproduce the problem in a lab. The lab was set up like this:
Figure 1 – Lab used to simulate the behavior.
As you can see in the lab above we were using the secure forms provided by ISA Server. In figure two we have the Web server publishing rule:
Figure 2 – ISA Server Rule
This rule uses a Web listener that uses LDAP authentication to validate the user’s credentials as shown below:
Figure 3 – LDAP Components
In Login Expression we have both formats available: SAM Based and UPN Based.
For more information on the LDAP configuration see the article Secure Application Publishing on Microsoft Technet.
3. Understanding the Logon Process
To better understand the logon attempts we enabled the netlogon logging on the domain controller. To do this run the following command on the Domain Controller:
3.1. Using the SAM Account Name
When the user Bob tries to logon with the ISA Server 2006 Secure Form using the domain\username format and types the wrong password the following event is recorded on the netlogon log:
The error code 0xC000006A means that the value provided as the current password is not correct. After four attempts (which was the company policy) we have the following event on the netlogon log:
The error code 0xC0000234 means that the user account has been automatically locked. Also we have the event below on the Event Viewer:
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 644
Time: 9:19:45 PM
User: NT AUTHORITY\SYSTEM
User Account Locked Out:
Target Account Name: Bob
Target Account ID: CONTOSO\Bob
Caller Machine Name: ISACONTN2
Caller User Name: DCCONT$
Caller Domain: CONTOSO
Caller Logon ID: (0x0,0x3E7)
3.2. Using UPN Format
When the user Bob tries to logon into the ISA Server 2006 Secure Form using the username@domain format and types the wrong password the following event is recorded on the netlogon log:
The error code that it is recorded in this scenario is not 0xC000006A, instead we log 0xC0000225, which means STATUS_NOT_FOUND. Even when typing the incorrect password we do not lock the user account and the reason is because the number of unsuccessful logon attempts is not incremented by the authenticating domain controller.
4. How to Fix It
This is actually a problem already fixed in Windows Server 2003 SP2, however if you did not apply this recommended Service Pack yet you can apply the hotfix below to address this specific issue:
921063 Unsuccessful authentications are not counted as incorrect password logon attempts when you use the IADsOpenDSObject::OpenDSObject method to specify a UPN in a Windows Server 2003 domain http://support.microsoft.com/default.aspx?scid=kb;EN-US;921063
Note: make sure to also apply on the domain controllers.
Security Support Engineer – ISA Server Team