User's Domain accounts locked due to failed login attempts

Support > FAQ

When users log in to MyWorkDrive using a traditional username and password (instead of SSO), the login events are recorded in Active Directory.

Failed login attempts to MyWorkDrive are counted as "attempts" in Active Directory and contribute to the Account Lockout Policy. In certain situations, a small number of failed attempts can trigger an account lockout.

MyWorkDrive's simplified user login will make multiple attempts by assembling usernames based on the domain(s) and UPN suffixes in the Active Directory, combined with testing multiple available methods, trying those until it achieves success. The combination of multiple domains, username syntax, and software methods will result in multiple attempts on AD from a single login event (depending on what the user enters initially).

For example, if the user attempts a login with "Scott", MyWorkDrive will try the following:

  • scott via wcf
  • scott via .net domain1
  • scott via .net domain1
  • scott via wcf domain2
  • scott via wcf domain2
  • scott via .net
  • scott@upnsuffix1 via .net
  • scott@upnsuffix1 via wcf
  • scott@upnsuffix2 via .net
  • scott@upnsuffix2 via wcf

This amounts to ten failed attempts for one login attempt. If the user enters a bad password, and the Account Lockout Policy is set to 3 attempts, it would already have achieved a lockout for the user.

There are several ways to improve the user experience and mitigate potential lockouts when users enter bad passwords:

  • Require an email username for login. This is a setting on the Settings page of the MyWorkDrive admin panel. In that case, there will only be three to four login attempts recorded.
    • Once to check the account status
    • Once to attempt the login with wcf and .NET
    • 3 via the web client
    • 4 via other clients.
  • Train your users to log in specifying a domain, such as domain\user, which will also result in only three to four login attempts per login.
  • Deploy an SSO, where the attempts are moved to the SSO (and typically also require an email, cutting out multiple attempts). We have simplified setup for ADFS, AzureAD, OneLogin, and Okta, and have configuration files which permit you to manually set up any SAML SSO.
  • Set an Account Lockout Policy that permits multiple login attempts without creating a lockout. 10 is a reasonable number for a domain without multiple UPNs or multiple domains, where the user can make 2-3 attempts without locking themselves out.

How to enable the setting that requires an email as the username in MyWorkDrive.

See here for information on how to edit the allowed password attempts in Group Policy.

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@myworkdrive.com.