Symantec Privileged Access Management

Expand all | Collapse all

Common Issue? Windows AD account lockout after session timeout causing disconnect / password rotation

  • 1.  Common Issue? Windows AD account lockout after session timeout causing disconnect / password rotation

    Posted 20 days ago
    Edited by Chris Scott 20 days ago
    Subject should be: 

    Common Issue? Windows AD account lockout after password rotation initiated by session timeout.


    Hello,

    We have identified a use scenario where Windows AD accounts are locking out and think this has to be a common issue. We are hoping there is some wisdom in this group that can offer some guidance how to mitigate the issue.

    Configuration
    1. Applet Timeout 60 minutes
    2. Password View Policy: "Exclusive Checkout" with "Change Password on Connection End"

    Steps to recreate problem
    1. A user starts a PAM RDP session selecting an available Active Directory account.
    2. Within the PAM RDP session, the user starts an activity (file explorer, etc)
    3. The user walks away from their workstation (i.e. locks Windows) with PAM RDP session still active
    4. After 60 minutes, applet time out kicks in and session connection closes (disconnects from windows terminal session)
    5. Due to connection closing, PAM initiates a change to the Active Directory password
    6. The processes still running on Windows device continually re-authenticates to Active Directory, resulting in Windows Active Directory bad logon attempts due to the stored password not matching the new password
    7. After a certain number of Windows Active Directory bad logon attempts, the Active Directory account locks out.

    I cannot image this be being an isolated issue to just us.

    How have other implementations been able to mitigate this issue?

    Thanks in advance!

    Chris


  • 2.  RE: Common Issue? Windows AD account lockout after session timeout causing disconnect / password rotation

    Posted 12 days ago
    Hello Chris, I don't recall having seen this problem as described here, but I wouldn't be surprised if this was the root cause of one or the other report involving locked accounts in the past. Some customer would want PAM to terminate the session on timeout rather than just disconnecting, while others would consider that a problem.


  • 3.  RE: Common Issue? Windows AD account lockout after session timeout causing disconnect / password rotation

    Posted 11 days ago
    Edited by Joseph Fry 2 days ago
    Chris,

    This is a very common issue for customers who use PAM for RDP access... you over explained the scenario though.  The issue will occur any time a user closes the RDP session without logging off (leaving the session open).

    Fortunately there is an easy fix with a simple GPO change:

    Set time limit for disconnected session:  Enabled - 3hrs  (adjust time as desired/necessary).

    We also commonly recommend the following GPO settings for the best RDP experience:
    Restrict Remote Desktop Services Users to a single Remote Desktop Services Session:  Disabled
    Limit Number of connections: Enabled - Unlimited (9999)
    Set time limit for active but idle Remote Desktop Sessions: Enabled - 3hrs  (adjust time as desired/necessary).


    The above GPO's ensure that each RDP session is a new session rather than resuming an old session, this is important when multiple users have policies that access the same device using the same target account.  And of course ensures that RDP sessions are properly terminated before kerberos ticket renewals will cause accounts to lock.


  • 4.  RE: Common Issue? Windows AD account lockout after session timeout causing disconnect / password rotation

    Posted 3 days ago
    Joseph,

    Thank you for the recommendation.

    Maybe I just missed it, but may this info would be worthwhile in release notes?


  • 5.  RE: Common Issue? Windows AD account lockout after session timeout causing disconnect / password rotation

    Posted 2 days ago
    Chris,

    I could see value in putting together some documentation about "things to think about" when integrating with some of the more common systems that PAM interfaces with.  Not in the release notes, but perhaps as an appendix to the product documentation.

    Joe