Article ID: 2619987 - Last Review: February 27, 2012 - Revision: 4.0

Update adds feature to lock out user accounts that use FBA with Active Directory or with LDAP authentication in a Forefront Threat Management Gateway 2010 environment

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
Expand all | Collapse all

SUMMARY

Microsoft Forefront Threat Management Gateway 2010 Service Pack 2 adds a new local account lockout feature which helps prevent a malicious user from locking out domain accounts, when TMG is configured to publish a site using Forms-Based Authentication (FBA) with Active Directory or with Lightweight Directory Access Protocol (LDAP) authentication.
Back to the top

MORE INFORMATION

To add the Account Lockout feature for FBA, install the service pack that is described in the following Microsoft Knowledge Base article:
2555840  (http://support.microsoft.com/kb/2555840/ ) Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2
Back to the top
After you apply Service Pack 2, you can configure the Account Lockout feature by using the Forefront Threat Management Gateway Administration Object Model.

To do this, configure the properties for the WebListenerProperties object and set the properties per listener.
  • EnableAccountLockout
  • AccountLockoutThreshold
  • AccountLockoutResetTime
If the EnableAccountLockout property is set to True and the value for the AccountLockoutThreshold property for consecutive failed logon attempts for a user is exceeded, the account is locked based on the AccountLockoutResetTime value in seconds.

Note "Consecutive failed logon attempts" means that the time period between two failed logon attempts is no more than the AccountLockoutResetTime value in seconds, and there were no successful logons in between attempts.

Please also note that:
  • the lockout counter for FBA described above is local to each TMG computer, and
  • if configured for greater values than the Active Directory account lockout thresholds, AD account lockout will trigger before the FBA local lockout, which is likely to defeat the purpose of having this protection in place

Back to the top

REFERENCES

For more information about the WebListenerProperties object, visit the following Microsoft Developer Network (MSDN) website:
FPCWebListenerProperties Object (http://msdn.microsoft.com/en-us/library/ff826991(v=VS.85).aspx)
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684  (http://support.microsoft.com/kb/824684/ ) Description of the standard terminology that is used to describe Microsoft software updates

Back to the top
APPLIES TO
  • Microsoft Forefront Threat Management Gateway 2010 Enterprise
  • Microsoft Forefront Threat Management Gateway 2010 Standard
  • Microsoft Forefront Threat Management Gateway 2010 Service Pack 1
Back to the top
Keywords: 
kbexpertiseinter kbsurveynew KB2619987
Back to the top