1 Reply Latest reply: Feb 27, 2014 9:44 PM by Weijun RSS

    Java 7 causing accounts to become locked out with Threat Management Gateway (TMG)

    7475cb9d-c8ae-4de9-ad33-b3aa8b1cb8ed

      Our current environment has Java 7u45 as the standard for clients.  These clients when requesting external internet pages are currently going through some ISA 2006 proxies that require integrated authentication.  We are trying to move to a set of TMG 2010 proxy servers with integrated authentication, but the moment we moved some users to those boxes, we started experiencing accounts being locked out.  We have contacted microsoft and they say the issue resides with Java and they don't see anything inherently wrong with the TMG proxies.  I have to agree with this as I haven't had the problem unless Java has been involved.  I have been scouring the internet for anybody that is having this issue and have found some articles, but nothing that really answers my question directly.  The intial finding came about due to an internal java application, which to me seemed very weird since internal web pages weren't supposed to be going through the proxies.  Come to find out that Java 7 is making internet calls to external revocation checking services.  This call appears to be causing the internal issue or least the route when the page is request and the Java agent sends credentials to the TMG proxies and then TMG sends them to the Domain Controllers is causing it.  By opening multiple instances of the internal application I can cause my account to lock out within a minute or two.  If I change the "Perform certificate revocation checks on" to Do not check, then I appear to not have an issue at least concerning the internal application.  I am pretty sure I have also locked myself out once when working with the Oracle Beehive site/software, so I don't believe it to be just an internal issue.

       

      I have looked at some network monitoring traces, but my understanding of these is somewhat limited.  Some articles (Java SE Ver 7 Uxx locking out domain user account failing Kerberos PreAuth) I have come across have talked about Kerberos being the issue, but when I did the traces, I don't see any mention of Kerberos being blocked or attempted.  Our environment does require NTLMv2, which it appears that Java attempts to pass credentials via NTLM first and then NTLMv2.  This very well might be where the issue lays.  I do have a question about why Java doesn't cause lockouts through ISA 2006, but TMG 2010 causes this issue?  Has anybody else had this issue and figure out what it was?

       

      These are a couple lines picked out by the Microsoft Engineer using the TMG Tracing:

      01/20 17:00:50 [LOGON] SamLogon: Network logon of domain\xxxx from xxxx Entered

      01/20 17:00:50 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000234)