Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3371
Views
0
Helpful
12
Replies

User gets locked constantly because of the proxy auth, after a password change

MansionGib
Level 1
Level 1

‎10-16-2019 12:10 PM

Hi guys, 

A user has changed his AD password today, and now the AD account gets locked out all the time from the proxy. We think his session with the old password is open in any computer or server, but the problem is that the proxy longs don´t show which PC or IP is performing the auth requests. This is all I can see:

 

Wed Oct 16 21:01:28 2019 Info: PROX_AUTH : - : [49433: MANSION.GI]Plain-text authentication for user DOMAIN\username returned NT_STATUS_ACCOUNT_LOCKED_OUT (PAM: 8)
Wed Oct 16 21:01:29 2019 Debug: PROX_AUTH : - : [49425: MANSION.GI][49438]: pam auth DOMAIN\username

 

May you please help to identify how can we find out which machine is running this authentication and locking out the account?

 

Thanks

 

PS: I have set "debug" level logging for auth, but didn´t help

1 person had this problem
Labels:
0 Helpful
12 Replies 12

Ken Stieers
VIP
VIP

‎10-16-2019 12:23 PM

Go find the ALTools package from Microsoft.

Use the lockout tool to find which DC locked the user out, dig in that dcs security event log to figure out which box is locking the user out.


I'd also clear all credentials out of credential manager on the users workstation

0 Helpful

MansionGib
Level 1
Level 1
In response to Ken Stieers

‎10-16-2019 12:59 PM - edited ‎10-23-2019 03:03 AM

.

0 Helpful

Ken Stieers
VIP
VIP
In response to MansionGib

‎10-16-2019 01:11 PM

Ok so go clear creds from the workstation, have the user reboot.
Dummp auth cache in the WSA to make sure the user re-auths to the WSA with the new creds.
0 Helpful

MansionGib
Level 1
Level 1
In response to Ken Stieers

‎10-16-2019 01:51 PM - edited ‎10-23-2019 03:03 AM

..

0 Helpful

Ken Stieers
VIP
VIP
In response to MansionGib

‎10-16-2019 02:15 PM

Ah...

Take a look at the access logs. Grep or tail it for the user's login id.

That will tell you the IP that they're id is coming from.






0 Helpful

MansionGib
Level 1
Level 1
In response to Ken Stieers

‎10-17-2019 05:48 AM - edited ‎10-23-2019 03:00 AM

.

0 Helpful

MansionGib
Level 1
Level 1
In response to Ken Stieers

‎10-17-2019 05:46 AM - edited ‎10-23-2019 03:00 AM

.

0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni

‎10-16-2019 12:51 PM

Hello,

If you do not have a tool to check in which machine user were blocked, try to check on event view of windows DC.
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

MansionGib
Level 1
Level 1
In response to Jaderson Pessoa

‎10-16-2019 01:02 PM - edited ‎10-23-2019 03:01 AM

.

0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to MansionGib

‎10-16-2019 01:20 PM

What proxy are you using?
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

MansionGib
Level 1
Level 1
In response to Jaderson Pessoa

‎10-16-2019 01:48 PM

Cisco WSA S100V
0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to MansionGib

‎10-16-2019 02:00 PM

Try to force WSA to resync with AD.

Maybe this link help you: https://community.cisco.com/t5/cloud-security/policy-configuration-synchronization-in-cisco-wsa-virtual/td-p/3027359
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents