Environment
Novell Client 2 SP2 for Windows 7
Microsoft Active Directory Domain
Citrix Server (Optional)
Microsoft Active Directory Domain
Citrix Server (Optional)
Situation
User is locked out of the Active Directory domain.
Logon failure with Event ID = 529, Login Type = 10 happening when attempting to authenticate to the AD domain.
The expected behavior is that users login seamlessly to Novell eDir and Microsoft AD. If so configured, Citrix applications are populated to the desktop and launch as expected.
Intermittently, when user logs in, "something" goes wrong in the AD authentication process, which results in either:
a) the user is unexpectedly prompted to logon to AD even though the eDir authentication /using the same credentials (i.e. username and password are the same in eDir and AD)/ already succeeded. Sometimes, the user can enter their AD credentials (same as they just entered to authenticate to eDir) and the AD logon completes and all is well. But other times, the user can enter their AD credentials when prompted, and the logon still fails, and the user is locked out of AD. (The Windows account lockout threshold is set to 4.) Or,
b) the user is not prompted to logon to AD, and is simply locked out of his/her AD account without warning.
Logon failure with Event ID = 529, Login Type = 10 happening when attempting to authenticate to the AD domain.
The expected behavior is that users login seamlessly to Novell eDir and Microsoft AD. If so configured, Citrix applications are populated to the desktop and launch as expected.
Intermittently, when user logs in, "something" goes wrong in the AD authentication process, which results in either:
a) the user is unexpectedly prompted to logon to AD even though the eDir authentication /using the same credentials (i.e. username and password are the same in eDir and AD)/ already succeeded. Sometimes, the user can enter their AD credentials (same as they just entered to authenticate to eDir) and the AD logon completes and all is well. But other times, the user can enter their AD credentials when prompted, and the logon still fails, and the user is locked out of AD. (The Windows account lockout threshold is set to 4.) Or,
b) the user is not prompted to logon to AD, and is simply locked out of his/her AD account without warning.
Resolution
Change the Kerberos configuration to use TCP on every authentication attempt (instead of UDP).
The documentation describing the problem and fix is http://technet.microsoft.com/en-us/library/cc779511%28v=ws.10%29.aspx and http://support.microsoft.com/kb/244474.
The documentation describing the problem and fix is http://technet.microsoft.com/en-us/library/cc779511%28v=ws.10%29.aspx and http://support.microsoft.com/kb/244474.
Cause
In a LAN trace, you will see Kerberos authentication packets being sent first over UDP and then repeated over TCP. Kerberos errors include:
KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG, in response to the UDP request, which prompts Windows to try the authentication a second time, with TCP.
KRB Error: KRB5KDC_ERR_PREAUTH_FAILED, which seems to mean that the password is wrong but the account is not locked out yet.
KRB Error: KRB5KRB_ERR_CLIENT_REVOKED NT Status: STATUS_ACCOUNT_LOCKED_OUT, meaning the account is locked due to the authentication attempt failures.
KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG, in response to the UDP request, which prompts Windows to try the authentication a second time, with TCP.
KRB Error: KRB5KDC_ERR_PREAUTH_FAILED, which seems to mean that the password is wrong but the account is not locked out yet.
KRB Error: KRB5KRB_ERR_CLIENT_REVOKED NT Status: STATUS_ACCOUNT_LOCKED_OUT, meaning the account is locked due to the authentication attempt failures.