Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Summary

Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 adds a new local account lockout feature that helps prevent a malicious user from locking out domain accounts when Forefront TMG is configured to publish a site by using forms-based authentication (FBA) together with Active Directory or Lightweight Directory Access Protocol (LDAP) authentication.

More Information

To add the account lockout feature for FBA, install the service pack that is described in the following Microsoft Knowledge Base article:

2555840 Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

After you apply Service Pack 2, you can configure the account lockout feature by using the Forefront TMG Administration Object Model. To do this, configure the following properties for the WebListenerProperties object, and then set the properties per listener:

  • EnableAccountLockout

  • AccountLockoutThreshold

  • AccountLockoutResetTime

If the EnableAccountLockout property is set to True and if the value for the AccountLockoutThreshold property for consecutive failed logon attempts for a user is exceeded, the account is locked based on the AccountLockoutResetTime value in seconds.

Note "Consecutive failed logon attempts" means that the time period between two failed logon attempts is no more than the AccountLockoutResetTime value in seconds and that there were no successful logons in between attempts.

Please also note the following:

  • The lockout counter for FBA that is described here is local to each TMG computer.

  • If the Active Directory account lockout is configured for greater values than its thresholds, the lockout will be triggered before the FBA local lockout. This is likely to defeat the purpose of having this protection in place.

Following is an example of a script that can be used to enable the TMG Soft Account Lockout feature that is described in this article. Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. 

  1. Copy the following script into a Notepad file, then save the text file as a Microsoft Visual Basic file by using the .vbs file name extension. Make sure that you change the value for WebListenerName as appropriate for your environment.


    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    ' Script for enabling TMG Soft Account Lockout described in KB 2619987

    Option Explicit
    Dim WebListenerName,newEnableAccountLockout,newAccountLockoutThreshold,newAccountLockoutResetTime

    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    ' SET YOUR VALUES HERE
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

    ' Rule name where you want to change the EnableAccountLockout parameter

    WebListenerName = "YourWebListenerName"

    ''''''''''''''''''''''''''''''''''
    ' Set here custom values
    ' Remember: If the EnableAccountLockout property is set to True and the
    ' value for the AccountLockoutThreshold property for consecutive failed
    ' logon attempts for a user is exceeded, the account is locked based on
    ' the AccountLockoutResetTime value in seconds.

    newEnableAccountLockout = True
    newAccountLockoutThreshold = 2
    newAccountLockoutResetTime = 60

    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    ' Begin

    Dim Root, Array, WebListeners, WL, intCompare

    Set Root = CreateObject("FPC.Root")
    Set Array = Root.GetContainingArray
    Set WebListeners = Array.RuleElements.WebListeners

    ''''''''''''''''''''''''''''''''''
    ' Look for the WebListener

    For Each WL in WebListeners
    Wscript.Echo " Comparing WebListener name |" & WebListenerName & "| with |" & WL.Name & "|"
    intCompare = StrComp(WebListenerName, WL.Name, vbTextCompare)
    If intCompare = 0 then
    Exit For
    End If
    Next

    Wscript.Echo
    Wscript.Echo "Found WebListener with description: |" & WL.Description & "|"

    ''''''''''''''''''''''''''''''''''
    ' Show values

    Wscript.Echo
    Wscript.Echo "***** CURRENT VALUES: "
    Wscript.Echo "** EnableAccountLockout = |" & WL.Properties.EnableAccountLockout & "|"
    Wscript.Echo "** AccountLockoutThreshold = |" & WL.Properties.AccountLockoutThreshold & "|"
    Wscript.Echo "** AccountLockoutResetTime = |" & WL.Properties.AccountLockoutResetTime & "|"
    Wscript.Echo "***** NEW VALUES: "
    Wscript.Echo "** EnableAccountLockout = |" & newEnableAccountLockout & "|"
    Wscript.Echo "** AccountLockoutThreshold = |" & newAccountLockoutThreshold & "|"
    Wscript.Echo "** AccountLockoutResetTime = |" & newAccountLockoutResetTime & "|"

    ''''''''''''''''''''''''''''''''''
    ' Warning and ask to continue

    Dim strMessage
    WScript.Echo ' newline
    Wscript.Echo "Please check if the previous information is correct and you want to apply the changes"
    strMessage = "Press any key to continue or Ctrl+C to cancel"
    WScript.Echo ' newline
    WScript.StdOut.Write strMessage
    Do While Not WScript.StdIn.AtEndOfLine
    Input = WScript.StdIn.Read(1)
    Loop

    ''''''''''''''''''''''''''''''''''
    ' Set new values

    WL.Properties.EnableAccountLockout = newEnableAccountLockout
    WL.Properties.AccountLockoutThreshold = newAccountLockoutThreshold
    WL.Properties.AccountLockoutResetTime = newAccountLockoutResetTime

    Wscript.Echo "***** CURRENT VALUES: "
    Wscript.Echo "** EnableAccountLockout = |" & WL.Properties.EnableAccountLockout & "|"
    Wscript.Echo "** AccountLockoutThreshold = |" & WL.Properties.AccountLockoutThreshold & "|"
    Wscript.Echo "** AccountLockoutResetTime = |" & WL.Properties.AccountLockoutResetTime & "|"

    WL.Properties.Save

    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

  2. Save the file to a temporary folder. For example, save the file as "EnableSoftLockout.vbs," and then save the file to the C:\EnableSoftLockout folder.

  3. At a command prompt, move to the location to which you saved the .vbs file in step 2, and then run the .vbs file. For example, run the following commands:

    CD C:\EnableSoftLockout
    cscript EnableSoftLockout.vbs


References

For more information about the WebListenerProperties object, go to the following Microsoft Developer Network (MSDN) website:

FPCWebListenerProperties ObjectFor more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×