04-15-2013 09:35 AM - edited 03-18-2019 12:56 AM
Hello,
I am enabling the AD authenication for our MOVI users and I ran into an issue with our active directory accounts being locked out. I have a MOVI subzone setup on our VCS-C that is set to "Check Credentials" and subzone rules pointing MOVI users to that subzone. If I enter my username and correct password in MOVI I authenticate just fine and everything works. The issue is that if I enter the wrong password in the MOVI application once, obviously it won't let me login but it also makes my corporate AD account get locked out. Our AD policay locks accounts after 6 consecutive failed login attempts. To me it seems like the MOVI application is sending off multiple authentication requests with a single log in attempt and since I have the wrong password my AD account is getting locked. Has anyone run into this issue before? Am I on the right track with what the issue could be?
Thanks for your help,
Steven
Solved! Go to Solution.
04-16-2013 02:07 AM
Hi Steven, this is a known bug and it has been resolved in software release 4.5 .
Please check the release notes for CSCua84646.
Regards//Andrey
04-15-2013 10:03 AM
As far as i know it does send out multiple requests but i'm not sure if its as high as 6. I think i remember that it is 3 its sending. Someone else might be able to answer more accurate on this but i think you are on the correct path! Do you have check credentials on the default zone and the subzone?
/Magnus
Sent from Cisco Technical Support iPhone App
04-15-2013 10:08 AM
I have the default zone set to treat as authenticated and the movi subzone set to check credentials. Is there way to change the number of authentication attempts it makes in the provisioning extension?
thanks.
04-15-2013 10:16 AM
Hi Steven, can you share the inputs for below.
1. Have you deployed TMSPE or TMSagent for Movi ?
2. What is the tms software version installed ?
3. What is the Operating system version, service pack in your AD authentication server ?
4. Is there a test account in AD which you can use to login to windows domain login with wrong password to verify if the account is getting locked after 6th time with wrong password as per the policy ?
BR, Mahesh Adithiyha
Sent from Cisco Technical Support iPad App
04-15-2013 10:28 AM
1. Yes, we have TMSPE deployed.
2. We are running 13.2.1 for TMS and x7.2 for VCS-C
3. AD servers are Windows 2008 SP2
4. I don't access to a test ID but I checked with server team and the 6 attempt lock out is part of the group policy for all users so I am confident that is correct.
Thanks.
04-15-2013 10:44 AM
Pls share Movi version used in your environment let me check in our lab and share more inputs by to"rro.
Sent from Cisco Technical Support iPad App
04-15-2013 10:57 AM
We are using 4.2.0.10318.
04-15-2013 02:03 PM
Hi,
That is the AD policy, but a interesting point is, how I can prevent that somebody try to type my credentials. And someone typed 6 times, my account is closed. How I can prevent this case. It is possible to include certificates on the jabbertablet or movi? What is the right way
Sent from Cisco Technical Support iPhone App
04-16-2013 02:07 AM
Hi Steven, this is a known bug and it has been resolved in software release 4.5 .
Please check the release notes for CSCua84646.
Regards//Andrey
04-16-2013 07:38 AM
OK
Thanks for your responses!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide