Locked Out Of Account in AD, Can Successfully Log On to Published App
Article ID: CTX208901
Updated On:
Description
Locked out account in active directory can still be used to access StoreFront site if it is setup using Web API / SDK. If same user tries to access StoreFront site after 30 minutes of account lockout then user is unable to login.
1. Successfully logon an active user - works as expected2. Logoff from StoreFront
3. Lock user in Active Directory
4. Logon to StoreFront succeeds success
5. Requests for resources are replied to with JSON unauthorized:true
6. After waiting for about 30 minutes, the Logon to StoreFront is refused with fail Logon Status appears to be cached in StoreFront.
Environment
Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.
Resolution
This is an expected behavior as caching users is used to minimize requests to Domain Controller. It is briefly explained in the following articles:
https://support.microsoft.com/en-us/kb/152526https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/6b2e7fcd-5fad-4ac8-ac0a-dcfbe771e9e1.mspx?mfr=true
Try adding the following registry key to StoreFront server and update:
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\InetInfo\Parameters\
- Dword: UserTokenTTL
- Value: 1
- Restart IIS.
Problem Cause
Above behavior is only seen in case of customer using Web API / SDK.Issue/Introduction
Locked out account in active directory can still be used to access Store front site if it is setup using Web API / SDK.
If same user tries to access store front site after 30 minutes of account lockout then user is unable to login.
Was this article helpful?
Yes
No
Powered by
