Subject should be:
Common Issue? Windows AD account lockout after password rotation initiated by session timeout.
Hello,
We have identified a use scenario where Windows AD accounts are locking out and think this has to be a common issue. We are hoping there is some wisdom in this group that can offer some guidance how to mitigate the issue.
Configuration
1. Applet Timeout 60 minutes
2. Password View Policy: "Exclusive Checkout" with "Change Password on Connection End"
Steps to recreate problem
1. A user starts a PAM RDP session selecting an available Active Directory account.
2. Within the PAM RDP session, the user starts an activity (file explorer, etc)
3. The user walks away from their workstation (i.e. locks Windows) with PAM RDP session still active
4. After 60 minutes, applet time out kicks in and session connection closes (disconnects from windows terminal session)
5. Due to connection closing, PAM initiates a change to the Active Directory password
6. The processes still running on Windows device continually re-authenticates to Active Directory, resulting in Windows Active Directory bad logon attempts due to the stored password not matching the new password
7. After a certain number of Windows Active Directory bad logon attempts, the Active Directory account locks out.
I cannot image this be being an isolated issue to just us.
How have other implementations been able to mitigate this issue?
Thanks in advance!
Chris