Lightweight Directory Access Protocol Does Not Log Invalid P&M Password AttemptsID: Q195210
|
When a user connects to a Web site that is configured to use Microsoft Personalization and Membership Server, he or she is prompted for a user name and password. If the specified user name is not found in the Lightweight Directory Access Protocol (LDAP) database, the LDAP log reports an error code of 32. LDAP RFC 1777 defines this result code as "no such object." The following is an example of such an LDAP log entry:
xxx.xx.xxx.xxx , cn=MBSBRKR2_SERVER1,ou=members,o=test, 9/28/98,
11:21:05, LDAPSVC2, SERVER1, -, 6713133, 1471, 24886, 32, 0, SEARCH,
CN=kjhbe,ou=members,o=test, NULL,
However, if a valid user name is specified with an invalid password, the
LDAP log shows a 0 result code, which means a success. Below is an example
of such an LDAP log entry:
xxx.xx.xxx.xxx , cn=MBSBRKR2_SERVER1,ou=members,o=test, 9/28/98,
11:26:46, LDAPSVC2, SERVER1, -, 7054063, 1557, 24901, 0, 0, SEARCH,
CN=administrator,ou=members,o=test, NULL,
The LDAP cannot be used to monitor password validation in Microsoft Personalization and Membership Server (P&M). P&M uses LDAP to find a user. That is why the first log entry in the "Symptoms" section shows an error. Once the user is found in the directory, P&M validates the password.
If the password is invalid, a counter is incremented that causes the account to be blacked out after 25 incorrect password attempts within three minutes. To change AuthAccountDenyTimeout and AuthAccountDenyThreshold settings, see the following article in the Microsoft Knowledge Base:
ARTICLE-ID: Q194783All accounts that are blacked out are logged in the Windows NT Event log.
TITLE : PMAdmin Fails to Set AuthAccountDenyThreshold or Timeout
Additional query words:
Keywords :
Version :
Platform :
Issue type : kbbug
Last Reviewed: July 20, 1999