User gets locked constantly because of the proxy auth, after a password change
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 12:10 PM
Hi guys,
A user has changed his AD password today, and now the AD account gets locked out all the time from the proxy. We think his session with the old password is open in any computer or server, but the problem is that the proxy longs don´t show which PC or IP is performing the auth requests. This is all I can see:
Wed Oct 16 21:01:28 2019 Info: PROX_AUTH : - : [49433: MANSION.GI]Plain-text authentication for user DOMAIN\username returned NT_STATUS_ACCOUNT_LOCKED_OUT (PAM: 8)
Wed Oct 16 21:01:29 2019 Debug: PROX_AUTH : - : [49425: MANSION.GI][49438]: pam auth DOMAIN\username
May you please help to identify how can we find out which machine is running this authentication and locking out the account?
Thanks
PS: I have set "debug" level logging for auth, but didn´t help
- Labels:
-
Web Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 12:23 PM
Use the lockout tool to find which DC locked the user out, dig in that dcs security event log to figure out which box is locking the user out.
I'd also clear all credentials out of credential manager on the users workstation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 12:59 PM - edited 10-23-2019 03:03 AM
.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 01:11 PM
Dummp auth cache in the WSA to make sure the user re-auths to the WSA with the new creds.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 01:51 PM - edited 10-23-2019 03:03 AM
..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 02:15 PM
Take a look at the access logs. Grep or tail it for the user's login id.
That will tell you the IP that they're id is coming from.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2019 05:48 AM - edited 10-23-2019 03:00 AM
.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2019 05:46 AM - edited 10-23-2019 03:00 AM
.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 12:51 PM
If you do not have a tool to check in which machine user were blocked, try to check on event view of windows DC.
*** Rate All Helpful Responses ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 01:02 PM - edited 10-23-2019 03:01 AM
.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 01:20 PM
*** Rate All Helpful Responses ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 01:48 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 02:00 PM
Maybe this link help you: https://community.cisco.com/t5/cloud-security/policy-configuration-synchronization-in-cisco-wsa-virtual/td-p/3027359
*** Rate All Helpful Responses ***
