I hear this statement pretty frequently from some of my customers and it is just not accurate. The logging on the Domain Controllers does show that the bad password attempts are coming from ISA or TMG. The reality here is that ISA/TMG is not randomly trying bad passwords for user accounts. It is also worth noting that ISA/TMG does not “cache” users passwords as has been suggested by some.
Here are a couple of the most common scenarios for why this is happening:
1.) ISA/TMG is used as a forward (outbound) proxy server. Authentication is required by at least one of the Web access rules. A user on the network configures some proxy aware application or applet with their username and password. The password eventually expires per the Domain Password Policy but the application is never updated to reflect that. The application tries to access the Internet with the bad password and eventually locks the account out.
2.) ISA/TMG is used for reverse (inbound) proxy for Exchange Activesync and authentication is being required by the publishing rule. An executive has several administrative assistants that check his email using various mobile devices. The password expires but the devices are not updated with the new password. The devices attempt to access Activesync with the bad credentials and lock the account out per defined Domain Password Policies.
Those are just two of the most common scenarios that we see but there are many, many other situations that lead to account lockouts.
My advice to the customer is to take a long hard look at their internal password policies and tweak them as needed. If you are not already doing it you should require complex passwords. But by far, the biggest change you can make to reduce account lockouts is to modify your Account Lockout policies. Change these to something that is going to work for your company. You might start by increasing the Account Lockout threshold by 10 invalid logon attempts. So instead of 10 invalid logon attempts before lockout, now it is 20. Do the incidents of accounts being locked out decrease or become non-existent? If the answer is no, increase it by another 10 invalid logon attempts and then monitor. Only you can decide what is right for your situation but I believe the ideal password policy is one that balances security with lack of administrative overhead in the form of constantly needing to unlock accounts.
Update: Service Pack 2 for TMG added a “Lockout Feature” that will allow you to locally lockout accounts without locking them out in the Domain. You can read more about this here.
Update adds feature to lock out user accounts that use FBA with Active Directory or with LDAP authentication in a Forefront Threat Management Gateway 2010 environment