A user has changed his AD password today, and now the AD account gets locked out all the time from the proxy. We think his session with the old password is open in any computer or server, but the problem is that the proxy longs don´t show which PC or IP is performing the auth requests. This is all I can see:
Wed Oct 16 21:01:28 2019 Info: PROX_AUTH : - : [49433: MANSION.GI]Plain-text authentication for user DOMAIN\username returned NT_STATUS_ACCOUNT_LOCKED_OUT (PAM: 8)
Wed Oct 16 21:01:29 2019 Debug: PROX_AUTH : - : [49425: MANSION.GI]: pam auth DOMAIN\username
May you please help to identify how can we find out which machine is running this authentication and locking out the account?
PS: I have set "debug" level logging for auth, but didn´t help