Locked Out Of Account in AD, Can Successfully Log On to Published App
                    
                
                
                    
                        book
                        
Article ID: CTX208901
                        
                    
                    
                        calendar_today
                        
Updated On: 
                    
                 
                
                    
                
                    
                    
                        
                            
Description
                        
                        
                            Locked out account in active directory can still be used to access StoreFront site if it is setup using Web API / SDK. If same user tries to access StoreFront site after 30 minutes of account lockout then user is unable to login.
1. Successfully logon an active user - works as expected
2. Logoff from StoreFront
3. Lock user in Active Directory
4. Logon to StoreFront succeeds success
5. Requests for resources are replied to with JSON unauthorized:true
6. After waiting for about 30 minutes, the Logon to StoreFront is refused with fail Logon Status appears to be cached in StoreFront.
                        
 
                     
                    
                    
                        
                            
                                
Environment
                            
                            
                                Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.
                            
                         
                        
                    
                    
                        
                            
                                
Resolution
                            
                            
                                This is an expected behavior as caching users is used to minimize requests to Domain Controller. 
 
Try adding the following registry key to StoreFront server and update:
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\InetInfo\Parameters\
- Dword: UserTokenTTL
- Value: 1
- Restart IIS.
Further it depends how SDK / Web API is being used in environment and customer needs to update Citrix with API causing above issue to proceed further.
Problem Cause
Above behavior is only seen in case of customer using Web API / SDK.
                             
                         
                        
                    
                        
                            
                                
Issue/Introduction
                            
                            
                                Locked out account in active directory can still be used to access Store front site if it is setup using Web API / SDK.
If same user tries to access store front site after 30 minutes of account lockout then user is unable to login.
                            
                         
                        
                    
                    
                    
                
                    
                        
                            Was this article helpful?
                        
                        
                            
                                thumb_up
                                Yes
                            
                            
                                thumb_down
                                No