I'm dealing with a situation where one of our Active Directory users consistently gets locked out of the SSL VPN, happening at least once or twice daily while she works remotely. This seems unique to her, as no other users are experiencing similar issues. The user's AD account is tied to a SonicWall SSL VPN, using the same username and password for both their desktop and VPN access through RADIUS. The SonicWall's system logs don't display any incorrect login attempts for this user, which is puzzling. Moreover, the Domain Controller logs indicate that her account is being locked out, but I can't ascertain the reason behind it. I'm starting to wonder if her being a common name might lead to brute force attempts causing the lockouts, but I'm not certain. It's worth mentioning that they use their first name for logins and the SonicWall login screen isn't accessible through their public IP. Additionally, all users are linked to Duo for RDP, requiring Duo authentication to log in completely. Any advice or insights on how to troubleshoot this would be greatly appreciated!
5 Answers
You might want to check if the user has any work accounts on their mobile devices that could be kicking off lockouts. Sometimes a mobile device trying to authenticate can lead to unexpected issues like this.
From my experience, it could be mobile devices causing the lockout. Either they're connected to apps using the user’s credentials or attempting to authenticate through Wi-Fi. Another possible culprit can be scheduled tasks or services running with old passwords. You could also be dealing with brute force attempts, so it’s definitely worth investigating!
It's possible they recently changed their password. Maybe some mapped drives or other resources are still using the old password, leading to the lockouts. I’d recommend checking on that!
Have you turned on advanced auditing for your SonicWall event logs? It’s crucial because, without proper configuration, you won't see the login attempts that lead up to the account lockouts. Make sure your logging includes things like account lockout events (Event ID 4740) and failed logons (Event ID 4625). It's also worth purging any saved credentials on their devices and rebooting them.
Are you using Duo for SSL VPN logins? If so, RADIUS is pretty sensitive when it comes to account lockouts due to the way it queries the Domain Controller for each login. If your SonicWall supports SAML, you might want to switch to that. It can help prevent unwanted lockouts and streamline authentication, especially when working with Duo or Okta.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures