I found that an Apple iPad was locking out a user's Active Directory account every 10 minutes and 25 seconds by attempting to synchronize with their Microsoft Exchange e-mail account with the wrong password. I don't know if synchronizing every 10 minutes and 25 seconds is the default setting, but I was surprised there was no randomization factor, and my coworker was surprised that the iPad wasn't programmed to stop trying after a certain number of failed attempts by default.
A user told us that his account kept getting locked out. Others were taking care of the issue by unlocking his account. When I got involved, I unlocked his account and then waited to see him log in to our Terminal Server (the resource he was trying to access). When 13 minutes later he did not have an active session, I assumed he mistyped his password again. I unlocked his account and waited another 12 minutes. I still saw no active session, saw he was locked out again, and unlocked his account. I saw the same thing 25 minutes later and did the same thing. Finally, when I saw he was locked out again another 15 minutes later, I determined it must have been a device with an incorrect password.
However, now my interest was piqued, so I watched it. I kept narrowing in until I saw it was happening every 10 minutes and 25 seconds, far too regularly for him to be locking himself out. When we alerted him, we found it was his iPad. He turned the screen off (and it kept trying to synchronize) then later shut it down (which coincided with his last lockout time). It turns out the Additional Account Information tab in Active Directory is really helpful for finding this information. Leaving open the Account tab, you don't see when an account gets locked out because the window does not refresh/repaint. Our lockout time period was longer than the iPad's synchronization period, so if I hadn't been unlocking the account, it would have remained locked out. We were glad he confirmed it was a device because the other option was another source was trying to compromise his account.
Subscribe to:
Post Comments (Atom)
we are having the same issues out our company :(
ReplyDelete