Why would users of a specific application get locked out of AD after one bad password?

Posted by This_guy_works@reddit | sysadmin | View on Reddit | 56 comments

We have a group of about 25 users that use an application that relies on their AD credentials to authenticate. For some reason (and this has been going on for over a year now), when they try logging into the application and they do not enter their password correctly, it locks their AD account after a single failed attempt, and they need to call in to have their account unlocked. I've gone as far as viewing the audit reports in our Netwrix auditor and see that at the time they lock out, it shows they had three failed attempts all at once, even though they only manually entered a bad password a single time. If this was a single user, I could see it being user error, but the entire department has had this issue and every time it is the same story - they mistyped their password once, and their account locked out. We receive a few calls daily to unlock an account from thsi department. I don't know if this is something specific with the one application they use, or if there are other applications known to cause this to happen and what a fix might be. Has anyone seen something similar or have an idea where to look to see what might be causing this for users? (We did have a period of time earlier this year where our root CA server was offline for a few months, and we did not have the lockouts occur, but that could just have been a coincidence, so I don't want to throw anything misleading into the mix, but wanted to mention this)

Reply to Post

56 Comments

[-]

arquesm@reddit

What's your domain's lockout threshold by the way?

[-]

This_guy_works@reddit (OP)

right now it's three attempts. Trying to convince our security office to bump it to 10, at least for that group to see if it helps.

[-]

jantari@reddit

Everyone saying the application is at fault and badly implemented, but this can also be caused by misconfiguration. Typically you configure multiple DCs for auth in an app for LDAPS auth, but you have to make sure you configure the servers as fallbacks for one another, not as multiple auth sources to be tried sequentially.

[-]

Rhopegorn@reddit

Because badly implemented software can sometimes cache faulty credentials and try them repeatedly. It’s mainly poor design that is often meant to helpful and often undocumented. An old example used to be acrobat reader that required access through our web proxy, which required authentication. That worked fine but next month after our password policy had required the user to update their password the software update check happily locked out the users AD account by repeating the now previous password it so sneakily cached. YMMV

[-]

Majik_Sheff@reddit

Mmmmm. Flashbacks of Minolta printers repeatedly locking themselves out.

[-]

burundilapp@reddit

Oh god I’m getting flashbacks, we had this issue for a few users, took a while to find it was bloody Adobe Reader doing it.

[-]

Mr_ToDo@reddit

I found that was happening on some vpn software when building a blacklist system. What was supposed to be a three strikes and you're out for, I think it was 15 minutes, turned into a 'you get one try' thing.

[-]

InevitableOk5017@reddit

Application tried multiple times.

[-]

redhairarcher@reddit

Ask the vendor, if they don't know they should ask their programmer. I see two options: 1) The already mentioned authentication retry. 2) The app uses the faulty credentials to connect to multiple backend resources at once like fileshare, datsbase and website.

[-]

Youre-In-Trouble@reddit

Har! Funny. The original programmer is likely long gone along with the source code.

[-]

AppIdentityGuy@reddit

It's more than likely the app supplying the password multiple times before prompting them again. I can also tell that a 3 bad attempts and then locking the account policy is asking for trouble

[-]

Fallingdamage@reddit

This. Sometimes I have this happen and I review our security logs and find that some old saved password has been ressurected somewhere and is hammering kerberos.

[-]

RealAgent0@reddit

>I can also tell that a 3 bad attempts and then locking the account policy is asking for trouble Yeah, this seems crazy to me. I've done 3 failed attempts myself just because I didn't realise caps lock was on. We have a policy of 15 alphanumeric characters minimum, both uppercase and lowercase. We also block usage of words that are commonly used or have shown up in breaches. 10 failed attempts is what it takes to lock the account and even then, the account will unlock after half an hour.

[-]

AppIdentityGuy@reddit

That's why I called it SIDOS

[-]

bulldg4life@reddit

The Federal government doesn't care about causing trouble! (They are relaxing it in some areas though)

[-]

FateOfNations@reddit

At least this one can be reset remotely… the prospect of having to go in to the security office to get my smart card pin unblocked is a perpetual source of anxiety for me.

[-]

Hotshot55@reddit

This reminds me of a story from my army days. Person was very upset because they "only put in the wrong PIN 3 times", I was like yeah that's the exact number of times it takes to block your CAC. Enjoy your trip to the DEERS office.

[-]

AppIdentityGuy@reddit

Are you saying three bad attempts and the lockout is federal Govt policy? That's weird because the NIST documentation on this has had a 3 attempt policy for ages

[-]

bulldg4life@reddit

I was just being silly - but yeah...nist 800-53 has had password requirements like that for a while. Revision 5 which just came out finally has alternatives including delayed logon, lock for only a period of time, etc which is nice.

[-]

AppIdentityGuy@reddit

Because the 3 bad attempts with an infinite observation window would cause absolute havoc... Talk about SIDOS

[-]

bulldg4life@reddit

The FedRAMP PMO revels in that.

[-]

AppIdentityGuy@reddit

Causing havoc or SIDOS?

[-]

iratesysadmin@reddit

![gif](giphy|mpxnrjQKLo0iA32r23|downsized)

[-]

Dizzy_Depth_@reddit

![gif](giphy|26u4doZQFaFnui3OE|downsized)

[-]

TheChrisCrank@reddit

Jabber client

[-]

maggotses@reddit

It's usually 10 retries (+1 for the actual fail)

[-]

Tatermen@reddit

A couple of years ago the Outlook app for Android had a similar horrible bug that didn't get fixed for ages. If a login failed due to an expired password, it would keep trying to login over and over again very quickly. There would be 20 failed logins and the account would get locked out in a matter of seconds.

[-]

TnNpeHR5Zm91cg@reddit

ClearPass does this by default, attempts a password 3 times, so dumb.

[-]

NoLongerGage@reddit

Aw man i hate these apps. Had some apps running as service accounts that you had to unlock, reset password and replicate to all DCs before the app started its login spam, think you had like 45 seconds

[-]

callmenoir@reddit

For example we have a batch of linux servers. They are linked to AD for authentication. We have to login, then sudo. Their kernel is configured to try the password 7 times after you typed it. So we get two chances to lock our (admin) account, which means we cannot even login to the windows DC to unlock it ourselves afterwards. Always have 2 people, or open an AD Users and Computers window on the DC before attempting a connection... Stupid shit.

[-]

tritonx@reddit

Since we started enforcing some password rules on the AD I got to check 4740 few times a day.

[-]

flatvaaskaas@reddit

Well, you basically cross tested it. It only happens with the application. So application is at fault here. Contact the supplier of the application. Why do you need our advice for this?

[-]

This_guy_works@reddit (OP)

We've gone to the vendor, and they don't know why it is happening. That is why I am asking the community as I am only one brain and you guys are many brain

[-]

thortgot@reddit

You can pull the security log and verify it is actually attempting to log in with invalid credentials multiple times. Then provide those logs to the vendor. They are obviously caching the creds and not respecting the failed login response code correctly.

[-]

PurpleTangent@reddit

Definitely this. OP, here's how to turn on Logon auditing on your DC: https://www.manageengine.com/products/active-directory-audit/how-to/how-to-find-the-source-of-failed-login-attempts.html

[-]

thortgot@reddit

It should be on by default I believe.

[-]

digitaltransmutation@reddit

Your next step is to enhance your visibility. See if you can observe what it is doing in Wireshark. A lot of auth types are pretty straightforward to spot even if the payloads are encrypted.

[-]

kagato87@reddit

If they don't know why it's happening, that's an indicator that maybe you don't want their app on your network using your AD logon info. It's pretty obvious what's going on here - the app is trying to authenticate three times. If the vendor doesn't understand how their security library functions it's a safe bet they don't know for certain what other vulnerabilities may be present. See if they have a proper SSO option available (Single sign on, not to be confused with the other SSO Same sign on). If the users are already authenticated to AD and have access to the resources, and the application is running in their user space, there's no reason it needs to be asking for logon. If it's a web site accessed remotely, then see if there's a viable SAML federated logon you hook into. The absolutely NOT recommended workaround would be to increase the failed logon threshold for a lockout from 3 to 5. Which is probably the best the vendor will come up with...

[-]

notgraveysocks@reddit

I've seen this with older versions of GP. If I recall the specific issue was specific to a bug in GP sending. X3 login attempts for every actual attempt. If you want to truly figure it out. Load up wire shark and watch the traffic from the application to the authentication server. You should see the X3 attempts come across. The trouble is even if you find the root cause, will the application support team actually address the issue and fix it? Often times the. Answer is: no. The is leaves us at a point where increasing the number of lockout attempts to 9 or 10 is the best work around. Some folks would suggest starting here to get folks working again and eliminating the support calls. In terms of security and concerns around brute forcing passwords, if the minimum password length is long enough and 2FA is used, then 3 vs 10 won't really matter from a security standpoint.

[-]

listenhearreddit@reddit

speaking from experience, this is a netwrix password manager issue, this software has not been updated for years, your company must have a contract with them and dragging it, the place where I worked had same issues with this and it turned out our 20-30% tickets were because of this, then we said f these netwrix developers and moved to full sso for all our apps.

[-]

ZAFJB@reddit

Crap app. 1. It's retrying multiple times when it should not. 2. That means it is keeping the password somewhere in plain text.

[-]

sryan2k1@reddit

>That means it is keeping the password somewhere in plain text. No it doesn't, not any more than it already had when the user typed it in and it was submitted, it just retries the submission .

[-]

tankerkiller125real@reddit

At the bare minimum the app is storing the password in plaintext in memory longer than it should.

[-]

sryan2k1@reddit

Hardly String password = UserInput.PasswordBox for(int i = 0; i < 3; i++) { if (doLogin(password)) { break; } Sleep(1000); }

[-]

ZAFJB@reddit

Nonsense. At the end of your loop the memory location that contains your *String password* will still contain your password, waiting for some miscreant to come an steal it

[-]

Wild_Snow_2632@reddit

Garbage collection is pretty great and automatic in modern programming languages..... As soon as the function is over, its gone.

[-]

ZAFJB@reddit

You hope... A lot of automatic garbage collection might dispose of stuff so that it does not hold on to memory. But that it is not necessarily the case the a the garbage collection has *overwritten* the memory. Also a lot of garbage collection is deliberately coded to be *lazy* so it does not happen immediately

[-]

Bioman312@reddit

Second bit is not true, unless you mean having it in memory, but good luck getting an app to pass a password to another system without having it in memory during the authentication process.

[-]

ZAFJB@reddit

> unless you mean having it in memory memory *is* somewhere

[-]

ZAFJB@reddit

Of course it is in memory. But is should be overwritten as soon as it is used. But that is a shitty way of doing authentication. There are several ways for an app authenticate as a user into a service without knowing the user's password.

[-]

goochisdrunk@reddit

Cached credentials hiding somewhere.

[-]

Infninfn@reddit

You can be sure that there isn't anything else that is causing this, other than whatever the app itself is doing. You should be able to confirm from the audit logs where the failed login attempts are coming from too and fling that in the vendor's face. It really is on them to figure this out.

[-]