Jump to content


Photo

ALE not showing every lockout


  • Please log in to reply
9 replies to this topic

#1 briguy

briguy

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 28 August 2013 - 02:02 PM

I'm running ALE 4.1.380 on Server 2008 R2. I really like the product but I've had a few instances where users contacted me about a lockout and they weren't listed in the GUI. I checked AD and they were locked out. I manually added them to the GUI and it showed they were locked out but every other field was blank (which makes sense since it never captured the event). Since then I have been randomly checking lockouts in PowerShell (Search-ADAccount -LockedOut) and comparing it to the GUI. I typically have about 8-10 lockouts in the GUI at any one time (we auto unlock after 30 minutes) but am missing another 2-4. Other than Guest which is perpetually locked out, there doesn't seem to be anything crazy going on in the security logs that the app wouldn't be able to keep up with. The CPU was going a little crazy until I made the registry changes below but CPU and memory look good now. I am getting most of the events and from all DCs so it wouldn't be an access issue with the account running the service.

Here's what I've done so far:
1. I tried both monitoring all DCs (6 total - 4 local and 2 remote connected with dark fiber) and only the PDC Emulator. When I tried just the PDC, I used the MS Account Lockout Tools to verify the lockout was reported by the PDC for accounts that were missing from the GUI.
2. Registry changes:
- set readLog to 0 (currently 0 because the DCs show Reading Log in the GUI otherwise)
- UseWMi - tried both 0 and 1 (currently 0)
- lowering InvLogonCleaningPeriod from the default of 30 (currently 4)
- lowering InvLogonKeepTime from the default of 30 (currently 4)
- added PF_Enabled and set to 0
- added UseWatcher and set to 1

Any suggestions would be very welcome. I have been through the knowledge base articles which were very helpful but I don't see anything addressing this exact issue. I really want to give this to the helpdesk because they don't have permission to read DC event logs so can't use the MS AL Tools. They've tested it and love it but I can't deploy it when we're missing lockouts.

Thanks - Brian

#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 29 August 2013 - 11:39 AM

Hello,

Give this build a try which was made to address some issues with lockout events not getting collected.

Console http://www.netwrix.c...3/ale_setup.msi
Web-portal http://www.netwrix.c...e_web_setup.msi

-Jeff

#3 briguy

briguy

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 29 August 2013 - 02:44 PM

Thanks for the response and links. I installed the new version and I'm afraid the outcome is the same. I also went through steps 1 and 2 outlined above. Each time I changed anything, I checked the current lockouts in PowerShell and unlocked them all to make sure we were starting from scratch. Right now I have 6 lockouts in the GUI and PowerShell shows me 9.

EDITED TO ADD: On this new build, when I try to switch between All DCs and PDC Only, the entire program locks up and I have to kill the process (service won't stop). Also, I never actually did test with PDC Only. It turns out the change was never saved. It won't let me make any changes to the monitored DCs.

Below is the error I eventually get when I click OK on the Settings window after changing the monitored DCs:
---------------------------
Please make sure that ALService is up and running
---------------------------
This request operation sent to net.pipe://localhost/ALService/Settings did not receive a reply within the configured timeout (00:02:00). The time allotted to this operation may have been a portion of a longer timeout. This may be because the service is still processing the operation or because the service was unable to send a reply message. Please consider increasing the operation timeout (by casting the channel/proxy to IContextChannel and setting the OperationTimeout property) and ensure that the service is able to connect to the client.

#4 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 29 August 2013 - 04:33 PM

briguy,

Perhaps this KB will help with the latency/locking up of the console:
http://www.netwrix.com/kb/1578

I know you have done some of this already.

As for the accounts now showing up there is a workaround. As you mentioned when you do a search they show up but without info (because we miss the event).

You can add this registry key and set it to 1 so they show up regardless of if the event was tracked or not:
DontWaitLockoutEventToAddLockedAccount DWORD with value of 1

It almost seems like the service is getting hammered with so many invalid logins that it can't keep up sometimes. Perhaps taking a look at the tracing logs in the program install directory will shed some light on what is happening throughout most of the day with regards to invalid logins.

#5 briguy

briguy

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 29 August 2013 - 05:34 PM

Jeff,

Thanks for the direction. I know this is a free product now and appreciate your time. I'll check through the KB article and change the value for picking up all lockouts. Having an empty event is much better than no event at all. I'll also look through the trace logs to see if anything weird is going on. Even though Guest is disabled, it gets locked out over and over all day. Maybe I'll rename it or move it to our Admins OU where accounts need to be manually unlocked.

Out of curiosity, do you think our issue is related to running 2008 R2? If so, I would consider setting up a new VM with 2008 or (gasp) 2003.

Thanks,
Brian

#6 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 03 September 2013 - 01:37 PM

Brian,

I don't believe this is related to 2008R2 as most customers are running that OS from my experience and it is definitely not a relatively common issue reported. I look forward to your results.

#7 briguy

briguy

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 03 September 2013 - 03:40 PM

Jeff,

We still have the same issue. Changing the reg key to pick up all lockouts didn't really work. Occasionally, we would see a blank entry show up in the list but we're still missing maybe 10-15% of lockouts.

I checked the trace logs and found several issues:

1. We get a lot of lockouts from workstation "CISCO". We don't have a workstation by that name so I assume these are from RADIUS for wireless login attempts. It was trying to resolve "CISCO" every time and failing. I added a local entry to HOSTS so it at least thought it was resolving it and that removed those errors from the log.

2. There are quite a few login failures for the Guest account, maybe 10-20 a second. I'm not sure how to avoid those. Renaming the account may resolve it but I need to get permission from my manager first and he is on vacation. However, it doesn't seem *that* excessive to me.

3. I get this error a lot, maybe 20 a second (bold text changed to be anonymous). It's always the same user but it's all of the domain controllers. I checked the account and the last section of numbers on this user's SID is 4 characters when every other user is 5. We acquire a lot of companies and migrate the users so this could be the result of a hiccup during a bulk migration. Maybe your tool requires the SID be a certain number of characters?

ALEService.exe Warning: 0 : [TID: 5, Time: 9/3/2013 11:12:52 AM] ACCOUNT MANAGEMENT: System.ComponentModel.Win32Exception: The format of the specified domain name is invalid
at ALService.Infrastructure.NTAccountHelper.GetFQDNFromNetbios(String netbiosName)
at ALService.Infrastructure.SidExtensions.GetSid(NTAccount account, String dcName)
ALEService.exe Warning: 0 : [TID: 5, Time: 9/3/2013 11:12:52 AM] CORE: System.Exception: Cannot translate NTAccount DOMAIN\username to SID on 'dc.domain.com'
at ALService.Infrastructure.SidExtensions.GetSid(NTAccount account, String dcName)
at ALService.EventWatch.DCSpyEventArgs.GetSid()

Suggestion: it would be nice if we could have a way to ignore certain users. Maybe have a security group whose members are automatically ignored or a flag we could set in an AD attribute.

Thanks,
Brian

#8 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 04 September 2013 - 06:13 PM

Brian,

20 invalid logins per second is pretty high in the scope of our Account Lockout Examiner service. So any workaround or fix to remedy that situation would definitely not hurt the situation and could only help.

"Maybe your tool requires the SID be a certain number of characters?"
No that shouldn't be an issue. Typically accounts with a 4 character ID are built in accounts.

One more thing you could try if you have an extra machine is to throw this older version of ALE on it as a test. This version historically used a different algorithm to grab events and to our knowledge never had issues with missing account lockouts like version 4 sometimes does. Give this one a shot perhaps?

http://www.netwrix.c...7/ale_setup.msi
http://www.netwrix.c...e_web_setup.exe

License name: NetWrix_Freeware
License count: 20000
License code: 8a35d1-f2f5f6-e513cb-b10d7f-e66366

#9 briguy

briguy

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 05 September 2013 - 12:53 PM

Jeff,

Can you check the version on the v3 Web Portal? It's giving me an error: "Error connecting to the NetWrix Account Lockout Examiner Framework Service" which the KB says is the web version is older than the ALE. It's also uninstalling the ALE service during the web install.

Thanks,
Brian

EDITED TO ADD: I cleared all of the current lockouts in the domain and am watching the ALE console. Out of the first 8-10 lockouts to occur, I'm still missing 2 of them in the console.

EDIT #2: Thanks for your help Jeff, but we decided to just write our own product in PowerShell and that working well for us.


#10 Ansvelvw

Ansvelvw

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 08 September 2013 - 11:35 AM

Katy Perry retained her honeymoon glow during her performance thesaleboat at the 2010 Victoria's overly MK kinds variety Secret Fashion Show. Perry wore her typical, michael kors factory outlet locations wacky outfits with a body which can easily rival the women strutting price fashion recently the gold, glittered runway. It is nice to see her in thesaleboat a product that didn't street brand suitable distract from her own beauty
http://fashiontraveller.es/wp-nike.php - tienda nikehttp://www.axede.es - louis vuittonhttp://www.elideres.es/nike.html - nike air max




0 user(s) are reading this topic

0 members, guests, anonymous users