[Exchange] RE: Account lockout from CAS

[Kennedy, Jim]

Beat the user.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jason Benway
Sent: Wednesday, November 12, 2014 8:02 AM
To: exchange@lists.myitforum.com
Subject: [Exchange] RE: Account lockout from CAS

Can't because the partnership was already removed. :(

jb

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael B. Smith
Sent: Tuesday, November 11, 2014 4:45 PM
To: exchange@lists.myitforum.com
Subject: [Exchange] RE: Account lockout from CAS

Wipe the device.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Benway
Sent: Tuesday, November 11, 2014 4:41 PM
To: exchange@lists.myitforum.com<mailto:exchange@lists.myitforum.com>
Subject: [Exchange] RE: Account lockout from CAS

So what I'm hearing is if there is a device that the user can't get access to 
for some reason and it has activesync setup with a bad password. I might just 
continue to lock the user out and there is nothing we can do but block the IP 
or change the username?

We've been blocking IP's right now but one of the devices keeps moving so the 
IP changes almost daily

Urg

jb

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Tuesday, November 11, 2014 4:16 PM
To: exchange@lists.myitforum.com<mailto:exchange@lists.myitforum.com>
Subject: [Exchange] RE: Account lockout from CAS

Two different things.

A partnership is an object attached to an AD user that defines the 
folders/items/etc. attached to a specific device, by useragent and serialnumber.

Disabling activesync indicates that a particular authenticated user is not 
authorized to perform activesync. However, the user must still be authenticated 
prior to making the authorization decision.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Tuesday, November 11, 2014 4:09 PM
To: 'exchange@lists.myitforum.com'
Subject: [Exchange] RE: Account lockout from CAS

It will log as disabled so I would hope it won't get to do a password attempt. 
But I am unsure.

User "MungedUser" cannot synchronize their mobile phone with their mailbox 
because  Exchange ActiveSync has been disabled for this user.



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Benway
Sent: Tuesday, November 11, 2014 4:05 PM
To: exchange@lists.myitforum.com<mailto:exchange@lists.myitforum.com>
Subject: [Exchange] RE: Account lockout from CAS

Once I remove the partnership and bounce the CAS, will that device be able to 
try to authenticate with a bad password enough to lock an account?

jb

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: Tuesday, November 11, 2014 3:55 PM
To: exchange@lists.myitforum.com<mailto:exchange@lists.myitforum.com>
Subject: [Exchange] RE: Account lockout from CAS

Regarding the activesync partnerships bounce the CAS, the connections often 
have a life of their own.


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Benway
Sent: Tuesday, November 11, 2014 3:50 PM
To: exchange@lists.myitforum.com<mailto:exchange@lists.myitforum.com>
Subject: [Exchange] Account lockout from CAS


We have a handful of users getting their accounts locked out multiple times a 
day. We've looked the security logs on the CAS and can see the external IPs 
locking these account, in some cases the external IP changes daily.

We've removed all activesync partnerships and I tried disabling OWA and 
activesync access on these accounts, but they are still getting locked from 
outside.

Anything else I can look for or at before we go the extreme route and change 
their username?

Does removing the partnership remove the username password from the mobile 
device or does it just keep trying to sync?

Does blocking OWA and activesync for the user, still allow someone to browse to 
the OWA site enter the username and then keep entering a bad password to lock 
the account?

This is Exchange 2010.


Thanks,jb

Jason Benway
Infrastructure Manager
616-850-1208 fax
www.jsjcorp.com<http://www.jsjcorp.com>
[cid:image001.jpg@01CFFE54.6699B0D0]

JSJ Corporation
700 Robbins Road
Grand Haven, MI 49417

________________________________
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee,
you must not use, copy, disclose or take any action based on this message or 
any information herein. If you have received this message in error,
please advise the sender immediately by reply e-mail and delete this message. 
Thank you for your cooperation.