New setting for AD Account Lockout on Deployment Settings

Content

The Deployment Settings page in the MaaS360 Portal provides a new option called Enable MaaS360 Auto-Lockout. This option prevents a user from being locked out of their account due to repeated unsuccessful attempts to access the account. This option replaces the following options that Administrators currently use to stop authentication to Active Directory:

• Enable End User Password Attempt Limit is set to <Yes>.
• Failed Password Attempt Limit is set to <number of attempts>.
• Time to limit invalid password attempts to <duration>.

When the Enable MaaS360 Auto-Lockout check box is enabled, the Administrator must choose from the following options to prevent Active Directory account lockout for users:

• Number of failed password attempts allowed: Values are 3 (default), 5, 7, 10, or 25.
• Duration for account lockout (hours): Values are 1, 4 (default), 8, 12, or 24.

These options are valid for corporate active directory mode and two factor authentication mode.

Database tables

Two new database tables were created for this feature: 

• USER_AD_AUTH_ATTMPT

  This table contains all the failed attempts by user. This table does not provide a domain since it is used primarily for LDAP. This table does not provide alias lookup since it's not mandatory for the User Visibility module to be installed to use this feature.
   

  Column	Description
  ORGANIZATION_ID	Organization ID
  USER_NAME	The user name that is provided in the action.
  NUM_FAILED_ATTMPTS	The number of times that the user has failed to access the account.
  LAST_FAILED_ATTEMPTS	The last time that the user failed to access the account.

  
  When the Enable MaaS360 Auto-Lockout option is enabled, Cloud Extender checks against each AD_AUTHENTICATE action. If this is a first failed attempt, then a new record is created in the USER_AD_AUTH_ATTMPT table with the LAST_FAILED_ATTEMPT updated.

  With subsequent failed attempts, the NUM_FAILED_ATTMPTS column is incremented and the LAST_FAILED_ATTEMPT column is updated.

  If there is a successful attempt, any record for that user in the USER_AD_AUTH_ATTMPT table is deleted.

  The table is partitioned on ORGANIZATION_ID and a local index on ORGANIZATION_ID and USER_NAME.

• USER_AD_AUTH_ATTMPT_HST
  
  This table captures all the attempts that are made against Active Directory and is used for auditing purposes.
   

  Column	Description
  ORGANIZATION_ID	Organization ID
  USER_NAME	User Name
  STATUS	Success or Failure
  CREATE_DATE	Attempt date

  This table is range partitioned on CREATE_DATE for each month. This data is retained for 180 days.