Active Directory is a great centralized authentication service for security and compliance, but Macs, mobile devices, and remote access cause headaches.
it is used and saved. In the case of a mobile phone, someone will likely remember to change their email password but often forgets that the saved wireless password needs to change, as well.
If users don't connect to the wireless network at the office for a while and their password changes, the next time they do try to connect, the device issues the old password. Active Directory interprets the password as incorrect and locks out the users.
Tablets are commonly shared among designers and people doing user interface testing. If the tablet connects to the network, nobody stops to think about whose credential it's using -- until the person who last entered his username and password changes it. Then a forgotten device ends up locking an unsuspecting user's account.
Saving passwords in browsers, the Mac Keychain, and Windows Credential Manager, while convenient, complicates centralized authentication. Sometimes it takes days to discover where the bad password is stored. One person left his email account configured on his iPad and gave it to his father, who lived overseas. Lockouts occurred only when his father connected the iPad to the Internet; it took us literally months to discover what was going on.
Remote users have also had difficulties. For instance, someone might change a password via our webmail system and then turn around and attempt to authenticate to a VPN endpoint. If the endpoint is at a different data center that hasn't received the updated password via Active Directory replication, the user gets locked out.
I've tried a few things to improve the situation. We modified Active Directory replication settings to make them quicker. We also evaluated a variety of Active Directory reporting tools and put some into use.
For example, Lockout Status from Microsoft is simple, free, and helpful. It's a standalone .exe that requires no installation and allows for a quick view into which Domain Controller is getting bad password attempts. This speeds troubleshooting by reducing the amount of time it takes to determine where lockouts are occurring.
Centralized authentication can cause significant headaches for users and administrators alike. Even the most tech-savvy and self-sufficient people can occasionally be stymied. But user education can go a long way toward minimizing these problems. I don't plan to retreat from the policies and procedures we have in place, because they help protect the organization.
Cyber-criminals wielding advanced persistent threats have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today (free registration required).
Dan Tesch is an IT Director at a Chicago-area marketing firm. He's also a member of the Interop Advisory Board. Dan's technology experience began in the late 1980s in the publishing industry, and now includes networking, virtualization, storage and security. View Full Bio