Account lockout from a computer without a line of site to active directory VIA MECM

Rahamim Levi 366 Reputation points
2020-12-10T15:20:00.177+00:00

Hi everyone

Here is a weird story: Since COVID, most of our domain laptops haven't arrived to the office to connect to active directory. Meaning, users who still wanted to work had to use 2 different passwords - 1 for the local computer (because there is no line of site to AD and it is the password they had last time they were connected to the LAN). 2 for accessing data (office 365, RDS via VPN etc...) which they can change remotely (Password write back)
Everything works and the users understand the need for 2 passwords. The weird part is, users get locked out from their own computers... We found that out with using AD monitoring for account lockout, Checking the user's home ISP IP address and our firewall to see what the IP address is trying to access in our network. We still use IBCM and we have a DMZ MECM server to manage those computers, and the clients send and receive data from that server. Apparently, the computer accessed the DMZ server in some way and forwarded credentials to AD.

Has anyone encountered this? If we can use this to update the cached password it would be even better.

Kind regards, Rahamim

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,724 questions
Microsoft Configuration Manager
{count} votes

Accepted answer
  1. Daisy Zhou 17,991 Reputation points Microsoft Vendor
    2020-12-29T03:13:15.913+00:00

    Hello @Rahamim Levi ,

    I once again carefully reviewed the entire post information, my understanding now is this.

    1.The user PC have not connected to AD domain;
    2.But when the user's password was about to expire and the user was forced to change the password via office 365 password writeback system and without line of site to the domain controllers.
    3.The new password will be write back to AD domain.
    4.The users use old credential to logon their PCs (MECM clients) and the MECM client is using Integrated Windows Authentication to send messages to MECM DMZ server.
    5.Because there is no such user credentials on MECM DMZ server, the MECM DMZ server can not authenticate those user account and password, then MECM DMZ server will pass the credentials (there are user accounts and old passwords on DCs) to the domain controller (there are user accounts and new passwords on DCs) for authentication. At last, the authentication will fail, so the account will be locked out.

    If anything I misunderstood, please correct me.

    If my understanding is correct, here is my suggest for your reference.

    1.Prevent MECM clients from communicating with MECM server.

    2.Or make MECM clients connect to AD one time via VPN, after the user logon MECM clients using new credentials, we can stop using VPN again.

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou


6 additional answers

Sort by: Most helpful
  1. Rahamim Levi 366 Reputation points
    2020-12-24T13:56:35.38+00:00

    Found something causing the credential attempt:

    In the file CCMMessaging.log I found the failed attempts to use the user with the cached credentials.
    I'm attaching the part of the log that showed the failed attempt. I also copied the entire CCM logs folder to have a "Snapshot" of the situation during the time of the issue

    51143-ccmmessaging.log

    Rahamim.


  2. Rahamim Levi 366 Reputation points
    2020-12-28T17:22:22.87+00:00

    Thank you @Daisy Zhou

    I just realized That I used the wrong terminology.
    The MECM client is using Integrated Windows Authentication to send messages to the management point which is MECM DMZ server that is what I attached in my last answer. (Personal details have been removed.)
    The problem is, The user's password was about to expire and the user was forced to change the password without line of site to the domain controllers.(We are in a hybrid mode and do not use VPN for security concerns. The users are able to change their password via office 365 password writeback system). Since the user changed their password it uses 2 passwords. 1 is what was set against the domain the last time the computer had a line of site and one that was set via office 365 password change service.
    The client is using the old password as shown below:

    Post using domain\testuser security context failed due to Integrated Windows Authentication failure (CcmMessaging)
    Post to https://MECM-DMZ.Domain.com/ccm_system_windowsauth/request failed with 0x80070005. (CcmMessaging)

    I hope this clears my problem

    Rahamim.

    0 comments No comments