M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

MSM760 and Active Directory account lockouts

 
Occasional Visitor

MSM760 and Active Directory account lockouts

Hi,

 

We have two 760's servicing 10 offices with 26 AP's (a combination of 422's and 320's).  We have come across a situation where a user connects to wireless, but within minutes their AD account will be locked.  The lock comes from the Radius server following an aithentication attampt by the 760.  If we turn off wireless on their machines then they can work fine.

 

Trying to dig into this I have found the following

 

In most case the user has at some point had two devices connecting to the AP's at the same time (ie migrating to a new machine or a Blackberry or iPhone), however in many cases they only have one device connecting now.

 

The issue has affected both Dell and Lenovo hardware, multiple models.

 

In most cases, but I don't think all, the OS has been 64bit Windows, usually Windows 7 but sometimes XP

 

The AD enviroment is 2008R2

 

An example of the issue includes user A logging in to machine A, no issues

User A logs in to machine B, within minutes the AD account is locked

User B logs in to machine A no problem

 

Now the weird part is that User A can now log into machine C and have no problems.

 

I'm absolutely stumped by this one so any help appreciated.

 

Dave

2 REPLIES 2
Highlighted
Occasional Visitor

Re: MSM760 and Active Directory account lockouts

I've managed to narrow this issue down since my original post, and hopefully someone can help me.

 

The lockouts are caused where a user has entered their username differently from the pre-windows 200o account name format in Active Directory.  For example username is BSmith when they log in to their machine, but the AD username is bsmith.  The Kerberos user principle name is case sensitive and this discrepency is causing the authentication to fail.

 

Are there any ways that I can modify authentication to avoid this?  The AD account name is not consistent across the domain so I cannot change all users or suddenly tell them to change their login name.

 

Any help gratefully received!

 

Dave

Highlighted
Occasional Visitor

Re: MSM760 and Active Directory account lockouts

Afternoon,

Did you ever get a solution to this? I am having the same issue I don't understand why user id would be case sensitive