none
[MS-ADTS] User locking, password policies RRS feed

  • Question

  • Hi,

    It is unclear from MS-ADTS if any password policies(Or any login related checks) are being applied to the user when performing Simple Bind Request.

    I have found that when we authenticate to ADDS with wrong password and it it automatically locks the account (provided that group policy is configured).

    But ADTS does not specify any of these operation in the document.

    Can you provide the detailed checks or operations performed for Bind Request?

    Rajesh

    Saturday, May 21, 2011 11:11 AM

Answers

  • Rajesh,

     

    Regarding the references in MS-ADTS on how account lockout policy is applied on Bind requests, I reported this as a document bug to the product team to request references being added.

     

    For LDAP errors returned by the server on a Simple Bind when the account is locked, the error is the same as if the Bind provided a wrong password. Windows Active Directory returns the LDAP error invalidCredentials.

     

    LDAP Bind Response error codes are documented in RFC2251 4.2.3.. Examples of errors are operationsError , strongAuthRequired, inappropriateAuthentication, invalidCredentials, unavailable.

     

    RFC2251

    4.2.3. Bind Response

     - invalidCredentials: the wrong password was supplied or the SASL credentials could not be processed.

     

    The extended error information looks like this:

    -----------

    res = ldap_simple_bind_s(ld, 'contoso3\user1', <unavailable>); // v.3

    Error <49>: ldap_simple_bind_s() failed: Invalid Credentials

    Server error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db0

    Error 0x80090308 The token supplied to the function is invalid

    -----------

     

    MS-ERREF

    0x80090308 SEC_E_INVALID_TOKEN The token supplied to the function is invalid.

     

    The product team will be reflecting this in a future refresh of the MS-ADTS document.

     

    Regards,

    Edgar

    Thursday, June 16, 2011 8:42 PM
    Moderator

All replies

  • Hi Rajesh:

    I have created a case for this issue. A member of the protocol documentation team will be in touch soon.


    Regards, Obaid Farooqi
    Saturday, May 21, 2011 6:35 PM
    Owner
  • Rajesh,

    I am looking into this and will follow-up as soon as I have an update.

    Thanks,

    Edgar

    Tuesday, May 24, 2011 9:22 PM
    Moderator
  • Rajesh,

     

    Could you describe what you meant by “provided that group policy is configured”?

    I want to make sure I follow the same repro steps like in your scenario.

    During my testing in the lab, I tried Simple Bind with wrong password (lockoutThreshold number of times). I observed account lockout on contoso3\user1 after badPwdCount on user1 reaches the lockoutThreshold configured on the contoso3.com domain object. This follows the logic described in

    MS-GPSB

    2.2.1.2   Account Lockout Policies

    3.2.5.2   Account Lockout Policies

     

    Thanks,

    Edgar

    Thursday, May 26, 2011 9:42 PM
    Moderator
  • Hi Edger,

    Thanks for the reply. Thank you for pointing to MS-GPSB document. Actually MS-ADTS does not contain any references to MS-GPSB.

    So we are unable to understand how the policy is being working. Don't you think that MS-ADTS should explain the relation between these documents?

    Rajesh

    Friday, May 27, 2011 9:21 AM
  • What errors will be returned by server when account is locked? Or if authentication failed for other reasons (other than wrong password).
    Saturday, May 28, 2011 12:51 PM
  • Rajesh,

    I am looking into this and will follow-up once my investigation is complete.

    Thanks,

    Edgar

    Tuesday, May 31, 2011 9:24 PM
    Moderator
  • Any update on this?
    Thursday, June 16, 2011 4:35 AM
  • Rajesh,

     

    Regarding the references in MS-ADTS on how account lockout policy is applied on Bind requests, I reported this as a document bug to the product team to request references being added.

     

    For LDAP errors returned by the server on a Simple Bind when the account is locked, the error is the same as if the Bind provided a wrong password. Windows Active Directory returns the LDAP error invalidCredentials.

     

    LDAP Bind Response error codes are documented in RFC2251 4.2.3.. Examples of errors are operationsError , strongAuthRequired, inappropriateAuthentication, invalidCredentials, unavailable.

     

    RFC2251

    4.2.3. Bind Response

     - invalidCredentials: the wrong password was supplied or the SASL credentials could not be processed.

     

    The extended error information looks like this:

    -----------

    res = ldap_simple_bind_s(ld, 'contoso3\user1', <unavailable>); // v.3

    Error <49>: ldap_simple_bind_s() failed: Invalid Credentials

    Server error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db0

    Error 0x80090308 The token supplied to the function is invalid

    -----------

     

    MS-ERREF

    0x80090308 SEC_E_INVALID_TOKEN The token supplied to the function is invalid.

     

    The product team will be reflecting this in a future refresh of the MS-ADTS document.

     

    Regards,

    Edgar

    Thursday, June 16, 2011 8:42 PM
    Moderator