cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
415
Views
0
Helpful
12
Replies
Highlighted
Beginner

User gets locked constantly because of the proxy auth, after a password change

Hi guys, 

A user has changed his AD password today, and now the AD account gets locked out all the time from the proxy. We think his session with the old password is open in any computer or server, but the problem is that the proxy longs don´t show which PC or IP is performing the auth requests. This is all I can see:

 

Wed Oct 16 21:01:28 2019 Info: PROX_AUTH : - : [49433: MANSION.GI]Plain-text authentication for user DOMAIN\username returned NT_STATUS_ACCOUNT_LOCKED_OUT (PAM: 8)
Wed Oct 16 21:01:29 2019 Debug: PROX_AUTH : - : [49425: MANSION.GI][49438]: pam auth DOMAIN\username

 

May you please help to identify how can we find out which machine is running this authentication and locking out the account?

 

Thanks

 

PS: I have set "debug" level logging for auth, but didn´t help

12 REPLIES 12
Highlighted
Engager

Re: User gets locked constantly because of the proxy auth, after a password change

Go find the ALTools package from Microsoft.

Use the lockout tool to find which DC locked the user out, dig in that dcs security event log to figure out which box is locking the user out.


I'd also clear all credentials out of credential manager on the users workstation

Highlighted
Beginner

Re: User gets locked constantly because of the proxy auth, after a password change

.

Highlighted
Engager

Re: User gets locked constantly because of the proxy auth, after a password change

Ok so go clear creds from the workstation, have the user reboot.
Dummp auth cache in the WSA to make sure the user re-auths to the WSA with the new creds.
Highlighted
Beginner

Re: User gets locked constantly because of the proxy auth, after a password change

..

Highlighted
Engager

Re: User gets locked constantly because of the proxy auth, after a password change

Ah...

Take a look at the access logs. Grep or tail it for the user's login id.

That will tell you the IP that they're id is coming from.






Highlighted
Beginner

Re: User gets locked constantly because of the proxy auth, after a password change

.

Highlighted
Beginner

Re: User gets locked constantly because of the proxy auth, after a password change

.

Highlighted
VIP Collaborator

Re: User gets locked constantly because of the proxy auth, after a password change

Hello,

If you do not have a tool to check in which machine user were blocked, try to check on event view of windows DC.
Jaderson Pessoa
*** Rate All Helpful Responses ***
Highlighted
Beginner

Re: User gets locked constantly because of the proxy auth, after a password change

.

Highlighted
VIP Collaborator

Re: User gets locked constantly because of the proxy auth, after a password change

What proxy are you using?
Jaderson Pessoa
*** Rate All Helpful Responses ***
Highlighted
Beginner

Re: User gets locked constantly because of the proxy auth, after a password change

Cisco WSA S100V
Highlighted
VIP Collaborator

Re: User gets locked constantly because of the proxy auth, after a password change

Try to force WSA to resync with AD.

Maybe this link help you: https://community.cisco.com/t5/cloud-security/policy-configuration-synchronization-in-cisco-wsa-virtual/td-p/3027359
Jaderson Pessoa
*** Rate All Helpful Responses ***