You are viewing limited content. For full access, please sign in.

Question

Question

Enable Account Lockout Threshold on Windows Accounts - 10.2

Administration Version 10 Laserfiche
Updated February 12, 2018
asked on February 12, 2018

Hello,

 

I've enabled "Account Lockout Threshold" in the Administration Console, but it doesn't seem to disable Windows  Authentication users. In fact, there appears to be no option to disable a Windows Authentication user, only to change their "Authentication" from "Trusted" to "Denied."

 

Am I missing something, or does Windows Authentication bypass this basic security setting that would be present on a standard Repository User? Is this something that needs to be managed from my Windows AD using GPO instead? If so, would an attempt to login to LF lock a user out of the domain until my GPO reset time is reached or I manually unlock the account in AD?

 

Thank you!

Screen Shot 2018-02-12 at 08.09.51.png
Screen Shot 2018-02-12 at 08.09.51.png (8.6 KB)
Download
0 0

Answer

SELECTED ANSWER
replied on February 12, 2018

All logon attempts for Windows users go through AD (even though it may not appear so to the user), so AD would manage account lockout in this case.

1 0

Replies

replied on February 12, 2018

Windows account lockout is not managed by Laserfiche, but your active directory settings.

When the user checks the "Use Windows authentication" box, they're already logged into Windows, so there wouldn't be an invalid logon attempt to your AD.

0 0
replied on February 12, 2018

Miruna, we are using the HTML application instead of the x86 application. When attempting to log in that way, it requires that you type in the password if you do not enable SSO (or are connecting from a Mac). In that situation, it appears to allow you to try as many passwords as you want and ignore lockout policies if you have a user that uses Windows Authentication.

In this case, would AD manage the lockout attempts (i.e. does it forward to AD), or would this allow for a brute force attack regardless of AD settings?

0 0
SELECTED ANSWER
replied on February 12, 2018

All logon attempts for Windows users go through AD (even though it may not appear so to the user), so AD would manage account lockout in this case.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Attachments
Related Posts
Loading ...