Release Notes
Abstract
New setting for AD Account Lockout on Deployment Settings
Content
The Deployment Settings page in the MaaS360 Portal provides a new option called Enable MaaS360 Auto-Lockout. This option prevents a user from being locked out of their account due to repeated unsuccessful attempts to access the account. This option replaces the following options that Administrators currently use to stop authentication to Active Directory:
- Enable End User Password Attempt Limit is set to <Yes>.
- Failed Password Attempt Limit is set to <number of attempts>.
- Time to limit invalid password attempts to <duration>.
When the Enable MaaS360 Auto-Lockout check box is enabled, the Administrator must choose from the following options to prevent Active Directory account lockout for users:
- Number of failed password attempts allowed: Values are 3 (default), 5, 7, 10, or 25.
- Duration for account lockout (hours): Values are 1, 4 (default), 8, 12, or 24.
These options are valid for corporate active directory mode and two factor authentication mode.
Database tables
Two new database tables were created for this feature:
-
USER_AD_AUTH_ATTMPT
This table contains all the failed attempts by user. This table does not provide a domain since it is used primarily for LDAP. This table does not provide alias lookup since it's not mandatory for the User Visibility module to be installed to use this feature.
Column
Description
ORGANIZATION_ID
Organization ID
USER_NAME
The user name that is provided in the action. NUM_FAILED_ATTMPTS The number of times that the user has failed to access the account. LAST_FAILED_ATTEMPTS The last time that the user failed to access the account.
When the Enable MaaS360 Auto-Lockout option is enabled, Cloud Extender checks against each AD_AUTHENTICATE action. If this is a first failed attempt, then a new record is created in the USER_AD_AUTH_ATTMPT table with the LAST_FAILED_ATTEMPT updated.With subsequent failed attempts, the NUM_FAILED_ATTMPTS column is incremented and the LAST_FAILED_ATTEMPT column is updated.
If there is a successful attempt, any record for that user in the USER_AD_AUTH_ATTMPT table is deleted.
The table is partitioned on ORGANIZATION_ID and a local index on ORGANIZATION_ID and USER_NAME.
-
USER_AD_AUTH_ATTMPT_HST
This table captures all the attempts that are made against Active Directory and is used for auditing purposes.
Column
Description
ORGANIZATION_ID
Organization ID
USER_NAME
User Name STATUS Success or Failure CREATE_DATE Attempt date This table is range partitioned on CREATE_DATE for each month. This data is retained for 180 days.
Was this topic helpful?
Document Information
Modified date:
19 November 2018
UID
ibm10741225