ACS 5.3 and Windows AD account lockout

Currently on 5.3.0.40.2 when a invalid password is attempted via TACACS or RADIUS to the AD identity store is locks the account out on the first failed attempt. The AD policy is lockout after three attempts. Is there a way to fix this issue so the account is not locked out with only one failed attempt? I see options for local password policys in ACS but nothing for the identity store. For what its worth this happened also with ACS 4.X deployment before we moved to ACS 5.3.
Just wanted to see if this is the expected behavior or if I should open a TAC case to see what is causing this.
Thanks.

Hi;
Well, we got it working. Not sure of the exact fix, but allow me to ramble, perhaps it will help someone else.
We think that a combinationof factors caused the problem. First, we had clock drift, and that resulted in clock skew messages in the logs like these:
Sep 20 18:06:03 ecb-acs1 adclient[8322]: INFO base.adagent start: Problem connecting to domain controller (KDC refused skey: Clock skew too great), will try again later.
and
ecb-acs1 adclient[1163]: WARN base.bind.cache LDAP fetch CN=bubba,OU=staff,OU=edcenter,OU=edcenterarea,OU=episd,DC=episd,DC=org threw unexpected exception: SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Clock skew too great"
Somehow the ACS lost the ntp config, very disturbing, because I know that one of the first things I did was setup NTP. So I re-did the ntp config, confirmed the time was accurate. Still failed. Then, because I was annoyed by the log entries comning out in UTC, I did a clock timezone to set it to local. That made the logs come out in local time, but might have caused other problems (I saw another forum entry for that) so I set it back to UTC.
This begs the question - how to leave the timezone at UTC but fix the timestamps for the logs? This is easy on Cisco switches.
Various reboots of the ACS after deleting the object in AD did not fix the problem. During these reboots I continued to use the original userid and password to authenticate. At all times, the "test connection" button showed that the credentials were OK.
Because we had recently added our first Win2008 domain controller to our world (all ther other DCs are Win2k3), we started worrying about this:
http://support.microsoft.com/kb/978055/en-us
But, after some checking, it seems as if we already had the fix applied.
Next, we created a dedicated user in AD for the ACS to use when authenticating. Deleted the ACS object, restarted the ACS, applied those new credentials. Still broken.
Our AD admin looked in various logs and found some things, here is his summary:
----------- from Danny --------
Checked the domain controller log under system. Found the following:
While processing an AS request for target service krbtgt, the account ecb-acs1$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 17. The accounts available etypes : 23 -133 -128 3 1. Changing or resetting the password of ecb-acs1$ will generate a proper key.
and
While processing an AS request for target service krbtgt, the account stcrye did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The requested etypes : 18. The accounts available etypes : 23 -133 -128 3 1. Changing or resetting the password of stcrye will generate a proper key.
This may be related to either clock scew between acs and the domain or introducing server 2008 domain controllers into an existing server 2003 domain.
On a desperate hunch, after yet again deleting the ACS object in AD and reloading the ACS, I used the new dedicated ACS user account, but gave it a wrong password. Hit save, watched it fail. Then I put in the correct password, hit save, and it worked! Finall we have re-joined and are connected to the domain.
BUT ... I have now lost all confidence in ACS 5.3 . We are in the middle of a major rollout of WiFi clients using 802.1x authentitcation, replacing our previous pre-shared WPA setup. We are talking > 20,000 WiFi clients. If ACS <--> AD is not rock-solid, I need to try something else. Should we consider using LDAPS instead?
Steve

Similar Messages

Forms Authentication Error: User '' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed

I created a custom security extension following the steps listed in the Readme_Security Extension Sample. It works fine if I login as the user that is specified AdminConfiguration section of the rsreportserver.config file but if I
log in as another user, I get this error: User '' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed. I've added the user to both System Administrator
and System User roles to try to get it to work but still no luck.
Does anyone know how to fix this?
Thanks.

Hi MetronM,
The issue is due to that user have no permission to access the report server. In report manager, Reporting Services includes predefined roles that we can assign to users and groups to provide immediate access to a report server. Each role defines a collection
of related tasks.
You can refer to the following steps to assign corresponding role to the user.
Open report manager.
Click “Folder Setting” button.
Click “New Role Assignment” icon.
Type the user name and select the corresponding role.
There is an article about Granting Permissions on a Native Mode Report Server, you can refer to it.
http://technet.microsoft.com/en-us/library/ms156014.aspx
Regards,
Alisa Tang
Alisa Tang
TechNet Community Support

ACS 5.5 and Windows 2012 AD support

Hi All,
previously I had two AD domains based on 2008 and had machines in one domain and users in another domain
and the condition statement "Was machine authenticated=True" worked fine when doing EAP-TLS machine then user
authentication.
I have now upgraded the machine's domain to 2012 and machine authentication works fine and user authentication
also works, but when you put the two together, and enable "Was machine authenticated=True" the ACS errors
out when doing user authentication with the message "ACS unable to find previous successful machine authentication"
even though machine authentication was successful. I have tried with with ACS being a member of both 2008 and 2012 domains at each stage.
The clients are all windows 8.1
Has anyone encountered this scenario before ?
TIA

I would like to share a good troubleshooting guide for ACS 5.X and later, Please have a look:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html

ACS 4.0 and Windows 7.

Facing challanges in integrating ACS 4.0 with Windows 7. Please help.
Is ACS 4.0 with Windows 7 compatibility?

have a look here http://forums.macrumors.com/showthread.php?t=467704 for instructions/solution.
Basically you have to make yourself a copy of your Windows disc using the files of that disc and a programm called oscdimg.exe plus a burning program.
And it had to be done on a Windows PC or in virtualized Windows (using Parallels/Fusion/VirtualBox) on your Mac.
Hope it helps
Stefan

User 'Levent2-PC\Levent2' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.

I have run Report Manager which show the below error
and
web url show below error
What should I do for solve this error?
Plz give replay quicKly

Hi tusharshinde,
Based on my understanding, you come across an issue when you try to access report manager and report server.
In Reporting Service, after installing a new report server, only users who are members of the Local Administrators group have permissions to access report server. If we want to grant permissions for other users to access report server, we should add users
to an item-level role and system-level role. Please refer to this article:
Grant User Access to a Report Server (Report Manager).
According to the screenshots, it’s clear that you don’t have sufficient permission to access report manager and report server. So in this scenario, please make sure you are members of local administrators group. To fix the issue, you could run IE browser
as administrator and add your account to an proper item level role and system-level role. If issue persists, please temporarily change the User Access Control settings to “Never notify”. For more information, please refer to articles below:
SQL Server Reporting Services Report Manager Site Permissions Error After Installation
rsAccessedDenied - Reporting Services Error
If you have any question, please feel free to ask.
Best regards,
Qiuyun Yu

Cisco ACS 4.2 and Windows 2008 R2 CA

Has anyone been successfully in getting a cert off of a 2008 R2 CA and imported correct in to ACS 4.2? I've had and have seen other have the problem with creating a web server certificate from R2 (1024 bit) and putting it in ACS 4.2 only to have HTTPS/SSL no longer work correctly. I haven't even tested the intended purpose of the cert (EAP-TLS) yet, so who knows if that works. I've also seen through searching where some one was able to take a 2003 CA web server template and put it into R2 and it work, but I know longer have 2003 available? Any ideas?
Thanks,
Raun

I have seen issues where the template on the R2 boxes are using elliptical curve cryptography, basically if the template has a '#" charcter in it is what I think causes this process to be used. Try to use a template that doesnt have this in the front and then try to generate a cert against the template you created.
Here is a snip of the guide that I am forwarding you:
Determining Whether to Implement Cryptography Next Generation Algorithms
For Windows Server 2008–based version 3 certificate templates, the option exists to configure advanced cryptographic algorithms such as elliptic curve cryptography (ECC). Before configuring these settings, ensure that the operating systems and applications deployed in your environment can support these cryptographic algorithms.
http://technet.microsoft.com/en-us/library/cc731705%28v=ws.10%29.aspx
Screenshots in another article:
http://technet.microsoft.com/en-us/library/cc725621%28v=ws.10%29.aspx
Thanks,
Tarik Admani

ACS 3.3 and windows 2k3 issue

Have an issue with installation of ACS 3.3 trial version on windows 2k3 server. When I go to setup an AAA client type of RADIUS (Cisco Aironet), with values entered for Hostname, IP address and Key, and submit changes, dialog comes back saying "RADIUS key value must not be blank".
Have implemented this on a windows 2000 server with no issues. Have tried install on 4 different 2003 servers all behave in this manner.
Anyone else seen this?

I had the same problem several months ago. The solution I found was to download and install the latest java on the server.

ACS 4.1 for Windows, command accounting.

ACS doesn't log the command into the csv file.
I have verified that device sends the acct message, the tacacs service (in full log mode) reports the message but there isn't an entry into the csv TACACS+ Admin.
Thanks.
Andrea

TACACS+ Administration logginig is enabled.
This is the service log with the cmd attribute.
TCS 19/01/2009 09:20:16 I 0043 1196 <<< RECEIVED FROM CLIENT:sw-core11 TYPE=ACCT, SEQ=1, FLAGS=1
TCS 19/01/2009 09:20:16 I 0043 1196 SESSIONID -424833774 (0xe6ad8d12), DATALEN 130 (0x82)
TCS 19/01/2009 09:20:16 I 0043 1196 ACCT, flags=0x4 method=6 priv_lvl=15
TCS 19/01/2009 09:20:16 I 0043 1196 type=1 svc=1
TCS 19/01/2009 09:20:16 I 0043 1196 user_len=7 port_len=4 rem_addr_len=10
TCS 19/01/2009 09:20:16 I 0043 1196 arg_cnt=6
TCS 19/01/2009 09:20:16 I 0043 1196 USER=ameconi
TCS 19/01/2009 09:20:16 I 0043 1196 PORT=tty1
TCS 19/01/2009 09:20:16 I 0043 1196 REM_ADDR=10.4.42.63
TCS 19/01/2009 09:20:16 I 0043 1196 arg[0](size=12)=task_id=2598
TCS 19/01/2009 09:20:16 I 0043 1196 arg[1](size=21)=start_time=1232353216
TCS 19/01/2009 09:20:16 I 0043 1196 arg[2](size=12)=timezone=MET
TCS 19/01/2009 09:20:16 I 0043 1196 arg[3](size=13)=service=shell
TCS 19/01/2009 09:20:16 I 0043 1196 arg[4](size=11)=priv-lvl=15
TCS 19/01/2009 09:20:16 I 0043 1196 arg[5](size=25)=cmd=terminal monitor
TCS 19/01/2009 09:20:16 I 0043 1196 END >>>
TCS 19/01/2009 09:20:16 I 0688 701436 Single Connect thread 1 allocated work
TCS 19/01/2009 09:20:16 I 0043 701436 <<< PACKET TO CLIENT:sw-core11 TYPE:ACCT, SEQ 2, FLAGS 1
TCS 19/01/2009 09:20:16 I 0043 701436 SESSIONID -424833774 (0xe6ad8d12), DATALEN 5 (0x5)
TCS 19/01/2009 09:20:16 I 0043 701436 ACCT/REPLY status=1
TCS 19/01/2009 09:20:16 I 0043 701436 msg_len=0 data_len=0
TCS 19/01/2009 09:20:16 I 0043 701436 End >>>
All logs seems to be ok!
Thanks for your help.
Andrea

Account Lockout Automatically in Windows 2008 R2 Active Directoryq

Dear All,
Suddenly in Windows 2008 R2 with SP1 AD Domain, Users are automatically locked out. i don't know what is the issues with Domain Controller. so we can manually unlock all the users but again within the 2 to 3 minute all users are locked out.
we have continously received 12294 event.
Please help me what should i do, is there any fix it for that.
Regards,
Kamal Patel
Server Admin
Regards, Kamal Patel Windows Administartor

Hi,
Please run a complete virus scan on your network and monitor the result. Meanwhile, please use the
Account Lockout and Management Tools and check if help you to solve this issue. In addition, you can refer to following articles and troubleshoot the Account lockout issue.
Frequent
Account lockout troubleshoot
Troubleshooting Account Lockout
By the way, for Event ID 12294, please refer to following article and check if can help you.
Event ID 12294 — Account Lockout
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

ACS Se 4.2.1.15 patch 4 and Windows 2008 R2

Hi, Can anyone advise whether ACS Se and Remote Agent 4.2.1.15.4 supports Windows 2008 R2 please. Thank you.

Hi,
ACS 4.2.1.15 does not support windows 2008 R2.
ACS 5.2 supports the same.
It is a bug CSCtg12399 which is resolved on ACS 5.2.
The release notes of ACS 5.2 describing the same.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html
The following link gives details of the ACS 4.2 and Windows 2008 compatibility.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html#wp100949
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

Random Account Lockout (How to trace source?)

In Windows 2003 server native domain environment: XP Pro machines have no issues, but all ~10 PCs that have Win7 Pro (in different offices) have their domain accounts locked out randomly throughout the day. Workstations have no passwords listed in credentials
management.
Suspect it is something on the workstations that is sending incorrect logon and triggering the invalid password lockout limit on domain policy. Found MSFT tools to trace in XP, but nothing for Win7. Does anyone know how to use Procmon or similiar tool to
trace such source on the workstations? Thank you.
(Procmon.exe from systernals)

Hi,
The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
We can run the LockoutStatus.exe on domain controller to identify and investigate the account lockout issue.
Troubleshooting tools:
By using this tool, we can gather and displays information about the specified user account including the domain admin's account
from all the domain controllers in the domain. In addition, the tool displays the user's badPwdCount value on each domain controller. The domain controllers that have a badPwdCount value that reflects the bad password threshold setting for the domain are the
domain controllers that are involved in the lockout. These domain controllers always include the PDC emulator operations master.
You may download the tool from the link
Download Account Lockout Status (LockoutStatus.exe)
http://www.microsoft.com/downloads/details.aspx?familyid=D1A5ED1D-CD55-4829-A189-99515B0E90F7&displaylang=en
Once we confirm the problematic computer, we can perform further research to locate the root cause. Actually, there are many possible
causes for bad password, such as cached password, schedule task, mapped drives, services, etc. Please remove the previous password cache which may be used by some applications and therefore cause the account lockout problem.
Troubleshooting steps:
1. Click Start, click Run, type "control userpasswords2" (without the quotation marks), and then click OK.
2. Click the Advanced tab.
3. Click the "Manage Password" button.
4. Check to see if these domain account's passwords are cached. If so, remove them.
5. Check if the problem has been resolved now.
If there is any application or service is running as the problematic user account, please disable it and then check whether the problem
occurs.
For your convenience, I'd like to list the common troubleshooting steps and resolutions for account lockouts as the following:
Common Causes for Account Lockouts
To avoid false lockouts, please check each computer on which a lockout occurred for the following behaviors:
Programs:
Many programs cache credentials or keep active threads that retain the credentials after a user changes their password.
Service accounts:
Service account passwords are cached by the service control manager on member computers that use the account as well as domain controllers.
If you reset the password for a service account and you do not reset the password in the service control manager, account lockouts for the service account occur. This is because the computers that use this account typically retry logon authentication by using
the previous password. To determine whether this is occurring, look for a pattern in the Netlogon log files and in the event log files on member computers. You can then configure the service control manager to use the new password and avoid future account
lockouts.
Bad Password Threshold is set too low:
This is one of the most common misconfiguration issues. Many companies set the Bad Password Threshold registry value to a value lower
than the default value of 10. If you set this value too low, false lockouts occur when programs automatically retry passwords that are not valid. Microsoft recommends that you leave this value at its default value of 10. For more information, see "Choosing
Account Lockout Settings for Your Deployment" in this document.
User logging on to multiple computers:
A user may log onto multiple computers at one time. Programs that are running on those computers may access network resources with
the user credentials of that user who is currently logged on. If the user changes their password on one of the computers, programs that are running on the other computers may continue to use the original password. Because those programs authenticate when they
request access to network resources, the old password continues to be used and the users account becomes locked out. To ensure that this behavior does not occur, users should log off of all computers, change the password from a single location, and then log
off and back on.
Stored user names and passwords retain redundant credentials:
If any of the saved credentials are the same as the logon credential, you should delete those credentials. The credentials are redundant
because Windows tries the logon credentials when explicit credentials are not found. To delete logon credentials, use the Stored User Names and Passwords tool. For more information about Stored User Names and Passwords, see online help in Windows XP and the
Windows Server 2003 family.
Scheduled tasks:
Scheduled processes may be configured to using credentials that have expired.
Persistent drive mappings:
Persistent drives may have been established with credentials that subsequently expired. If the user types explicit credentials when
they try to connect to a share, the credential is not persistent unless it is explicitly saved by Stored User Names and Passwords. Every time that the user logs off the network, logs on to the network, or restarts the computer, the authentication attempt fails
when Windows attempts to restore the connection because there are no stored credentials. To avoid this behavior, configure net use so that is does not make persistent connections. To do this, at a command prompt, please type net use /persistent:no. Alternately,
to ensure current credentials are used for persistent drives, disconnect and reconnect the persistent drive.
Active Directory replication:
User properties must replicate between domain controllers to ensure that account lockout information is processed properly. You should
verify that proper Active Directory replication is occurring.
Disconnected Terminal Server sessions:
Disconnected Terminal Server sessions may be running a process that accesses network resources with outdated authentication information.
A disconnected session can have the same effect as a user with multiple interactive logons and cause account lockout by using the outdated credentials. The only difference between a disconnected session and a user who is logged onto multiple computers is that
the source of the lockout comes from a single computer that is running Terminal Services.
Service accounts:
By default, most computer services are configured to start in the security context of the Local System account. However, you can
manually configure a service to use a specific user account and password. If you configure a service to start with a specific user account and that accounts password is changed, the service logon property must be updated with the new password or that service
may lock out the account.
Internet Information Services:
By default, IIS uses a token-caching mechanism that locally caches user account authentication information. If lockouts are limited to users who try to gain access
to Exchange mailboxes through Outlook Web Access and IIS, you can resolve the lockout by resetting the IIS token cache. For more information, see "Mailbox Access via OWA Depends on IIS Token Cache" in the
Microsoft Knowledge Base.
MSN Messenger and Microsoft Outlook:
If a user changes their domain password through Microsoft Outlook and the computer is running MSN Messenger, the client may become locked out. To resolve this behavior,
see "MSN Messenger May Cause Domain Account Lockout After a Password Change" in the
Microsoft Knowledge Base.
For more information, please refer to the following link:
Troubleshooting Account Lockout
http://technet.microsoft.com/en-us/library/cc773155.aspx
Account Passwords and Policies in Windows Server 2003
http://technet.microsoft.com/en-us/library/cc783860.aspx
Hope this helps!
Novak

Account Lockout source process / application

Hello There,
I am using "Account Lockout Status" and also "Netwrix Account Lockout Examiner" which is really helpful.
I have a situation one of the user account is getting locked out everyday i tried to trace the source but in all the cases it shows
the source as TMG (which is the gateway for email & lync access) through internet.
I am suspecting the account lockout source is the user's machine but i want to see which process is triggering this.
How can i check the process name which is causing account lockout on the source machine itself?
please suggest.
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

1. Run this command:
rundll32 keymgr.dll,KRShowKeyMgr
2. Backup the stored credentials using the Backup button. Then, remove them.
If the problem continues, we need to enable audit policies and analyze event log to troubleshoot this problem. For more information,
please refer to:
Troubleshooting Account Lockout
http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
Account Lockout and Management Tools
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
Hope below link helps.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/8c0e9442-6df6-43b0-8b50-bd44f53dfdea/my-account-is-getting-locked-out?forum=winserversecurity
Regards,
Manjunath Sullad

ACS 3.2 for Windows and MS Windows AD Directory Integration Problem

Dear all,
We have some issues while integrating Windows AD with ACS 3.2 for Windows.Currently we have done the following:
1. Installed ACS 3.2 for Windows on Windows 2003 Enterprise with SP1
2. ACS and Domain Controller are configured on the same server
Checked and verified the following configurations
1. created a domain user "csacs" selected Act as a part of operating system and log on as a service enabled for this user.
2. Enabled all the CS services to log on as a user csacs.
But I noticed CS services are not respdonding and gives the error as "Could not able to start the service with service specific error ..." while trying to start services manually on ACS.
Kindly help me through this integration part
An easy and handy Step wise procedure on configuring integration of AD with ACS 3.2 on both Domain Controller and on Member server will be of great help.
Thanks
Kind Regards,
Ahmed

I have no issues running Cisco ACS version 3.2 on Windows
Server 2003 with SP2:
1) create user test1 in MS Active Directory and put test1
in users group with dial-in access granted,
3) Create a group called "LDAP". Actually I renamed
group name "group 1" to "LDAP".
3) in ACS external user database configuration, I specified
domain "CCIE" as for this. unknow user policy is to use
Windows Database configuration,
4) Configure the database configuration in ACS to point
to "CCIE" windows domain,
5) setup the ACS to authenticate one of your Cisco devices
and log in using the MS windows account,
By the way, mgurwara, you are wrong. I run Cisco
ACS 3.2 on windows 2003 Enterprise Edition with Service
Pack 2. I am running it on a Dell Optiplex Gx240
(1.7 GHz with 512MB of RAM) and it is running fine.
I use it to manage about 20 cisco devices and
about 200 Wireless LEAP user(s). Furthermore, I am also
running ACS 4.1 on another identical hardware. It has
nothing to do with the hardware. I don't know where
you get that information from.

Password Aging & Account Lockout in ACS 4.2

I have a requirement that in ACS the user accounts should get disabled after 1 day , so in the group setting under the Password Aging Field I configured the same as 1 day , the Grace & Warning Period is 0 days
I want that all these user accounts would be active for 30 days , and the moment the account is used (i.e the Start Message appears in the Radius Accounting ) then after 1 day from the usage then as per the Password Aging Rule the account should get expired.
Now my query is this password aging rule will start from the day I create the account in the ACS or from the day the user logs in.
I don’t want to use the Account Lockout Tab as I don’t know when the guest account would be used.
Request someone to help pls clarify my doubt.
Regards

Hi Yusuf,
Password Aging on ACS will just prompt to change the password. it will not disable the account.
The Account is present on the AD. So the Disabling and lockout features for an account will come from the AD.
I don't think a change in password for a guest account is what you would want to do.
Also according to me disabling the account should be a feature only for the AD admin and not open. A lockout can definately happen but that also has to be defined on the AD.
The link to password Aging on ACS is as follows:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp525115
Hope this helps.
Regards,
Anisha
P.S.: please mark this string as answered if you feel the query is answered.

Smart card and Account Lockout Policies Issue

I have enabled "Interactive logon: Require smart" card and "Account Lockout threshold: 3 invalid logon attempts". The lockout policy works fine with normal passwords. However, when I try to use the smart card and entering wrong PIN 4
times, the lockout policy does not work.
Can anyone please help with this issue?

Hi,
the validity of the PIN is managed by the smartcard itself, not by windows. Windows just logs in of the smartcard gives the right certificates/keys. the smartcard will only do so when it is provided a valid PIN.
Also note an account should not be locked out to avoid brute forcing the PIN. instead, the smartcard should lock.
http://technet.microsoft.com/en-us/library/cc962052.aspx
http://technet.microsoft.com/en-us/library/ff404290(v=ws.10).aspx
MCP/MCSA/MCTS/MCITP

ACS 5.3 and Windows AD account lockout

Similar Messages

Maybe you are looking for