07-02-2018 09:47 AM
We've had Global Protect in production for a while now, but it has just recently been brought to my attention that we are having a lot of users locking their accounts out.
The GP client prompts them for their AD username / password. Maybe they fat-finger their password or whatever. The GP client never gives them any indication of any issue, other than just prompting for credentials again. I have users that are failing logins 30-40 times within a couple of hours. Of cource AD is locking their account out, but the end user has no idea. All they know is they are continueing to get prompted for creds.
Has anyone ran into this situation? Any suggestions?
Most clients are using 3.1.3 while some are using 4.0.6. I am using aloways on mode and the same Kerberos profile to authenticat to both the portal and the gateway. I'm pretty sure that having them plug in their password twice is over-kill and adding to the issue. My security team would need some other way to auth to mitigate. I want to use pre-logon tunnel and device certs, but we just aren't there yet.
Any help or suggestions would be greatly appreciated!
Thanks,
Jonathan
07-02-2018 09:55 AM
Not sure what the solution would be, but the lockout should be temporary if you are following current recomendations as far as AD goes. The pre-logon with device cert auth would be the solution here as far as I'm aware, but the AD change would at least make it a little less of an issue.
07-02-2018 11:54 AM
I don't know what MS recommendations are for AD, but our security team requires AD accounts to be manually unlocked.
I agree with you about the pre-logon tunnel, but it's another 6-8 months out for me. I was hoping to find a band-aid until then. Thanks for your help.
07-02-2018 11:56 AM
Will LDAP give a return like that? When I opened a case with PA TAC they told me it wouldn't. We've only used Radius for RSA and Kerberos, so I have not tested LDAP.
Using a secure cookie would reduce a login prompt. Not sure if my security team will go for it, but it's idea. Thank you.
07-02-2018 12:11 PM
A return like what.... not sure what you mean...
ldap just compares user vs password, just gets a yes or no, this is not registered against auth attempts on AD.
regarding cookies, i cannot see the benefit of using the same credentials twice, i can understand if using different auth profiles for portal and gateway but you seem not to be doing this.
Looking forward to your portal config...
07-02-2018 12:46 PM
Looking forward to your portal config
Sorry.... wrong thread....
07-02-2018 12:56 PM
I guess my ultimate wish would be to be able to get some sort of a error or message to the end user. Anything but a continual prompt for their creds. I have about 200 users on my portal, and I have about 15 that have multiple lock outs over the past 3 days.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
