Symantec Privileged Access Management

Subject should be: 

Common Issue? Windows AD account lockout after password rotation initiated by session timeout.

Hello,

We have identified a use scenario where Windows AD accounts are locking out and think this has to be a common issue. We are hoping there is some wisdom in this group that can offer some guidance how to mitigate the issue.

Configuration
1. Applet Timeout 60 minutes
2. Password View Policy: "Exclusive Checkout" with "Change Password on Connection End"

Steps to recreate problem
1. A user starts a PAM RDP session selecting an available Active Directory account. 
2. Within the PAM RDP session, the user starts an activity (file explorer, etc)  
3. The user walks away from their workstation (i.e. locks Windows) with PAM RDP session still active
4. After 60 minutes, applet time out kicks in and session connection closes (disconnects from windows terminal session)
5. Due to connection closing, PAM initiates a change to the Active Directory password
6. The processes still running on Windows device continually re-authenticates to Active Directory, resulting in Windows Active Directory bad logon attempts due to the stored password not matching the new password
7. After a certain number of Windows Active Directory bad logon attempts, the Active Directory account locks out.

I cannot image this be being an isolated issue to just us.

How have other implementations been able to mitigate this issue?

Thanks in advance!

Chris

Hello Chris, I don't recall having seen this problem as described here, but I wouldn't be surprised if this was the root cause of one or the other report involving locked accounts in the past. Some customer would want PAM to terminate the session on timeout rather than just disconnecting, while others would consider that a problem.
Original Message:
Sent: 07-25-2020 11:28 AM
From: Chris Scott
Subject: Common Issue? Windows AD account lockout after session timeout causing disconnect / password rotation

Subject should be: 

Common Issue? Windows AD account lockout after password rotation initiated by session timeout.

Hello,

We have identified a use scenario where Windows AD accounts are locking out and think this has to be a common issue. We are hoping there is some wisdom in this group that can offer some guidance how to mitigate the issue.

Configuration
1. Applet Timeout 60 minutes
2. Password View Policy: "Exclusive Checkout" with "Change Password on Connection End"

Steps to recreate problem
1. A user starts a PAM RDP session selecting an available Active Directory account.
2. Within the PAM RDP session, the user starts an activity (file explorer, etc)
3. The user walks away from their workstation (i.e. locks Windows) with PAM RDP session still active
4. After 60 minutes, applet time out kicks in and session connection closes (disconnects from windows terminal session)
5. Due to connection closing, PAM initiates a change to the Active Directory password
6. The processes still running on Windows device continually re-authenticates to Active Directory, resulting in Windows Active Directory bad logon attempts due to the stored password not matching the new password
7. After a certain number of Windows Active Directory bad logon attempts, the Active Directory account locks out.

I cannot image this be being an isolated issue to just us.

How have other implementations been able to mitigate this issue?

Thanks in advance!

Chris

Chris,

This is a very common issue for customers who use PAM for RDP access... you over explained the scenario though.  The issue will occur any time a user closes the RDP session without logging off (leaving the session open).

Fortunately there is an easy fix with a simple GPO change:

We also commonly recommend the following GPO settings for the best RDP experience:
​

The above GPO's ensure that each RDP session is a new session rather than resuming an old session, this is important when multiple users have policies that access the same device using the same target account.  And of course ensures that RDP sessions are properly terminated before kerberos ticket renewals will cause accounts to lock.
Original Message:
Sent: 07-25-2020 11:28 AM
From: Chris Scott
Subject: Common Issue? Windows AD account lockout after session timeout causing disconnect / password rotation

Subject should be: 

Common Issue? Windows AD account lockout after password rotation initiated by session timeout.

Hello,

We have identified a use scenario where Windows AD accounts are locking out and think this has to be a common issue. We are hoping there is some wisdom in this group that can offer some guidance how to mitigate the issue.

Configuration
1. Applet Timeout 60 minutes
2. Password View Policy: "Exclusive Checkout" with "Change Password on Connection End"

Steps to recreate problem
1. A user starts a PAM RDP session selecting an available Active Directory account.
2. Within the PAM RDP session, the user starts an activity (file explorer, etc)
3. The user walks away from their workstation (i.e. locks Windows) with PAM RDP session still active
4. After 60 minutes, applet time out kicks in and session connection closes (disconnects from windows terminal session)
5. Due to connection closing, PAM initiates a change to the Active Directory password
6. The processes still running on Windows device continually re-authenticates to Active Directory, resulting in Windows Active Directory bad logon attempts due to the stored password not matching the new password
7. After a certain number of Windows Active Directory bad logon attempts, the Active Directory account locks out.

I cannot image this be being an isolated issue to just us.

How have other implementations been able to mitigate this issue?

Thanks in advance!

Chris

Joseph,

Thank you for the recommendation.

Maybe I just missed it, but may this info would be worthwhile in release notes?
Original Message:
Sent: 08-03-2020 10:36 AM
From: Joseph Fry
Subject: Common Issue? Windows AD account lockout after session timeout causing disconnect / password rotation

Chris,

This is a very common issue with PAM... you over explained the scenario though.  The issue will occur any time a user closes the RDP session without logging off (leaving the session open).

Fortunately there is an easy fix with a simple GPO change:

Set time limit for disconnected session:  Enabled - 3hrs  (adjust time as desired/necessary).

We also commonly recommend the following GPO settings for the best RDP experience:

Restrict Remote Desktop Services Users to a single Remote Desktop Services Session:  Disabled

Limit Number of connections: Enabled - Unlimited (9999)
Set time limit for active but idle Remote Desktop Sessions: Enabled - 3hrs  (adjust time as desired/necessary).

​

The above GPO's ensure that each RDP session is a new session rather than resuming an old session, this is important when multiple users have policies that access the same device using the same target account.  And of course ensures that RDP sessions are properly terminated before kerberos ticket renewals will cause accounts to lock.
Original Message:
Sent: 07-25-2020 11:28 AM
From: Chris Scott
Subject: Common Issue? Windows AD account lockout after session timeout causing disconnect / password rotation

Subject should be: 

Common Issue? Windows AD account lockout after password rotation initiated by session timeout.

Hello,

We have identified a use scenario where Windows AD accounts are locking out and think this has to be a common issue. We are hoping there is some wisdom in this group that can offer some guidance how to mitigate the issue.

Configuration
1. Applet Timeout 60 minutes
2. Password View Policy: "Exclusive Checkout" with "Change Password on Connection End"

Steps to recreate problem
1. A user starts a PAM RDP session selecting an available Active Directory account.
2. Within the PAM RDP session, the user starts an activity (file explorer, etc)
3. The user walks away from their workstation (i.e. locks Windows) with PAM RDP session still active
4. After 60 minutes, applet time out kicks in and session connection closes (disconnects from windows terminal session)
5. Due to connection closing, PAM initiates a change to the Active Directory password
6. The processes still running on Windows device continually re-authenticates to Active Directory, resulting in Windows Active Directory bad logon attempts due to the stored password not matching the new password
7. After a certain number of Windows Active Directory bad logon attempts, the Active Directory account locks out.

I cannot image this be being an isolated issue to just us.

How have other implementations been able to mitigate this issue?

Thanks in advance!

Chris

Chris,

I could see value in putting together some documentation about "things to think about" when integrating with some of the more common systems that PAM interfaces with.  Not in the release notes, but perhaps as an appendix to the product documentation.

Joe
Original Message:
Sent: 08-11-2020 04:35 PM
From: Chris Scott
Subject: Common Issue? Windows AD account lockout after session timeout causing disconnect / password rotation

Joseph,

Thank you for the recommendation.

Maybe I just missed it, but may this info would be worthwhile in release notes?
Original Message:
Sent: 08-03-2020 10:36 AM
From: Joseph Fry
Subject: Common Issue? Windows AD account lockout after session timeout causing disconnect / password rotation

Chris,

This is a very common issue with PAM... you over explained the scenario though.  The issue will occur any time a user closes the RDP session without logging off (leaving the session open).

Fortunately there is an easy fix with a simple GPO change:

Set time limit for disconnected session:  Enabled - 3hrs  (adjust time as desired/necessary).

We also commonly recommend the following GPO settings for the best RDP experience:

Restrict Remote Desktop Services Users to a single Remote Desktop Services Session:  Disabled

Limit Number of connections: Enabled - Unlimited (9999)
Set time limit for active but idle Remote Desktop Sessions: Enabled - 3hrs  (adjust time as desired/necessary).

​

The above GPO's ensure that each RDP session is a new session rather than resuming an old session, this is important when multiple users have policies that access the same device using the same target account.  And of course ensures that RDP sessions are properly terminated before kerberos ticket renewals will cause accounts to lock.
Original Message:
Sent: 07-25-2020 11:28 AM
From: Chris Scott
Subject: Common Issue? Windows AD account lockout after session timeout causing disconnect / password rotation

Subject should be: 

Common Issue? Windows AD account lockout after password rotation initiated by session timeout.

Hello,

We have identified a use scenario where Windows AD accounts are locking out and think this has to be a common issue. We are hoping there is some wisdom in this group that can offer some guidance how to mitigate the issue.

Configuration
1. Applet Timeout 60 minutes
2. Password View Policy: "Exclusive Checkout" with "Change Password on Connection End"

Steps to recreate problem
1. A user starts a PAM RDP session selecting an available Active Directory account.
2. Within the PAM RDP session, the user starts an activity (file explorer, etc)
3. The user walks away from their workstation (i.e. locks Windows) with PAM RDP session still active
4. After 60 minutes, applet time out kicks in and session connection closes (disconnects from windows terminal session)
5. Due to connection closing, PAM initiates a change to the Active Directory password
6. The processes still running on Windows device continually re-authenticates to Active Directory, resulting in Windows Active Directory bad logon attempts due to the stored password not matching the new password
7. After a certain number of Windows Active Directory bad logon attempts, the Active Directory account locks out.

I cannot image this be being an isolated issue to just us.

How have other implementations been able to mitigate this issue?

Thanks in advance!

Chris